Ingress filtering on transits, peers, and IX ports

Baldur Norddahl baldur.norddahl at gmail.com
Tue Oct 20 19:16:43 UTC 2020


Might filtering port 11211 like that not risk blocking random connections,
where the operating system picked that port as source, which then becomes
destination on the reply packets?

tir. 20. okt. 2020 07.19 skrev Randy Bush <randy at psg.com>:

> term blocked-ports {
>     from {
>         protocol [ tcp udp ];
>         first-fragment;
>         destination-port
>             [ 0 sunrpc 135 netbios-ns netbios-dgm netbios-ssn 111 445
> syslog 11211];
>         }
>     then {
>         sample;
>         discard;
>         }
>     }
>
> and i block all external access to weak devices such as switches, pdus,
> ipmi, ...
>
> randy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201020/56be026c/attachment.html>


More information about the NANOG mailing list