The "not long discussion" thread....
Christopher L. Morrow
christopher.morrow at mci.com
Thu Apr 28 01:47:36 UTC 2005
On Wed, 27 Apr 2005, Jerry Pasker wrote:
>
> Christopher L. Morrow allegedly wrote:
>
> >This, it seems, was an unfortunate side effect (as I pointed out earlier)
> >of legacy software and legacy config... if I had to guess.
>
> You guess wrong. See the above. And don't pass judgement. (am I
> being sited for lack of clue? It kind of feels like it) It wasn't a
no lack of clue meant, just pointing out one possible cause of the acl
usage. I don't think I saw the original reasoning in the original email.
> *BAD* thing, it was a *GOOD* thing. It made things better, not
> worse. I still may go back and re-implement port 53 blocks in the
> future if I find a good reason to. I know now that it doesn't really
> cause operational problems. At least not in a smaller ISP
> environment. Would I want a transit network to block TCP 53? Of
> course not. But my end customers request those types of services
> regularly, so I try to provide what they want.
>
Sure, this is a form of 'managed security services' and the custommer (and
you) agree to that policy change.
> And don't think I'm coming off as all ticked off and defensive. I'm
> not ticked off, I'm actually enjoying this. As for being defensive?
> Maybe. I'm trying hard not to be though. I really can't help
> myself........I have this lurking fear that I'm being tossed in to
> the "clueless block TCP 53 with an outsourced firewall, and don't
> know what I'm doing beyond that" group that I so despise. ;-)
> Especially on this list, full of people that I have so much respect
> for.
either way, it was just one possibliity of many for the acl to be there,
nothing more :)
> good of the group, and therefore, worth it. And I still think that.
excellent, it probably helps Patrick, the world-nic folks and others as
well :)
More information about the NANOG
mailing list