Re: Why you have hardware firewalls
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: Wed, 06 Apr 2005 15:01:54 -0500
In article <firstname.lastname@example.org>, Arthur Hagen wrote:
>That seems like tossing the baby out with the bath water. I'm sure you're
>going to curse your decision the next time you need to download an Asus BIOS
>from Taiwan, or access BBC World News, or something else :-)
As you know, a very standard rule of thumb is that if you are not offering
a service, the port is closed. This also applies to countries or regions.
If your company has no plans to offer their product/service to this or
that place/entity, then not accepting a connection is a reasonable decision.
Where my wife works, they sell product to the USA and Mexico, and to reduce
the spam problem, the network admin has a quite restrictive set of firewall
rules. Heck, I know he's even blocked two major ISPs in Canada.
But think about this again - my home network offers absolutely NO services
to ANYONE. But the rules that deny all new incoming connections don't
prevent me from hitting www.asus.com (which for me, resolves to a CERFnet
address in the in the USA) or www.asus.com.tw (220.127.116.11) or to
www.bbc.com (18.104.22.168) or www.bbc.co.uk which is a nickname for
www.bbc.net.uk (22.214.171.124). I don't know what you might be using
as a firewall, but surely it can block inbound packets with a SYN flag
without an ACK flag set. There really are several networks that my
upstream has set null routes for us, but it's comparitively few, and they
are there for extreme abuse.