Subj : dtdns
To   : Matt Munson
From : mark lewis
Date : Sun Jul 08 2018 06:18 am

On 2018 Jul 05 20:33:46, you wrote to Sean Dennis:

SD>> A lot of these small firewall setups aren't enough to handle the crap
SD>> that's floating around on the Internet.  You really need an edge
SD>> firewall that simply blocks entire countries at first and then will
SD>> let you ban entire CIDR ranges from connecting.  Until you get
SD>> something with some gusto going you're going to have issues.  Even my

MM> Even with country blocking filters they still try to contact my server
MM> :(

of course they do... they're simply scanning ranges of IP numbers... if you
don't block them at the perimeter, your server(s) are going to have to deal
with them... even it if means you have country blocks that your servers need to
handle to know if they should drop the connection or not... that's why folks
like sean and myself have been saying to drop this junk at the perimeter
firewall... that way your server(s) (sbbs, nginx, apache, ftp server, nntp
server, etc) don't have to deal with it...

MM> I wonder if I should try the Symantec or Bitdefender hardware firewall
MM> products.

absolutely not... that is not ON your perimeter... that's IN your network...
this is what we're talking about... right now, you have this...


 internet -> ISP modem -> your network(s)


so everything is on your ISP modem to do all the work... for the most part, it
is quite capable... but it cannot handle large lists and you cannot customize
it to add things like intrusion detection or intrusion protection services (aka
IDP/IPS)... what we're saying is to do this...


 internet -> ISP modem -> perimeter firewall -> your network(s)


in this setup, your ISP modem is (hopefully) in "bridge mode"... that means it
is basically out of the loop other than converting your DSL or cable internet
signal into TCP/IP for your network comms... it doesn't do anything else... no
routing, no DHCP, no nothing... everything now is done by your perimeter
firewall... a firewall that has plenty of storage and memory... a firewall that
you can actually sit down and enter huge lists of country IP ranges to block...
a firewall that can actually detect when something nefarious is trying to get
in or out... if your ISP modem can't do bridge mode, then it simply means that
your connection will be double-NAT'ed... that means that you'll have a RFC-1918
address on your firewall's WAN port and it'll be handing out addresses and
managing connections for another (set of) RFC-1918 addresses... it isn't a big
deal but it can really hamper some tasks...

granted, this means having another machine running as well as having another
switch/hub or two or three but this is a huge sight better than relying on
those black boxes the ISPs give you or that you purchase at Best Buy or Circuit
City or other similar places that sell electronics... i'll never set up another
network without a perimeter firewall... ever...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it
wrong...
... Thou shall flirt shamelessly with all members of the opposite sex.
---
* Origin:  (1:3634/12.73)