| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | dtdns |
On 2018 Jul 05 20:33:46, you wrote to Sean Dennis: SD>> A lot of these small firewall setups aren't enough to handle the crap SD>> that's floating around on the Internet. You really need an edge SD>> firewall that simply blocks entire countries at first and then will SD>> let you ban entire CIDR ranges from connecting. Until you get SD>> something with some gusto going you're going to have issues. Even my MM> Even with country blocking filters they still try to contact my server MM> :( of course they do... they're simply scanning ranges of IP numbers... if you don't block them at the perimeter, your server(s) are going to have to deal with them... even it if means you have country blocks that your servers need to handle to know if they should drop the connection or not... that's why folks like sean and myself have been saying to drop this junk at the perimeter firewall... that way your server(s) (sbbs, nginx, apache, ftp server, nntp server, etc) don't have to deal with it... MM> I wonder if I should try the Symantec or Bitdefender hardware firewall MM> products. absolutely not... that is not ON your perimeter... that's IN your network... this is what we're talking about... right now, you have this... internet -> ISP modem -> your network(s) so everything is on your ISP modem to do all the work... for the most part, it is quite capable... but it cannot handle large lists and you cannot customize it to add things like intrusion detection or intrusion protection services (aka IDP/IPS)... what we're saying is to do this... internet -> ISP modem -> perimeter firewall -> your network(s) in this setup, your ISP modem is (hopefully) in "bridge mode"... that means it is basically out of the loop other than converting your DSL or cable internet signal into TCP/IP for your network comms... it doesn't do anything else... no routing, no DHCP, no nothing... everything now is done by your perimeter firewall... a firewall that has plenty of storage and memory... a firewall that you can actually sit down and enter huge lists of country IP ranges to block... a firewall that can actually detect when something nefarious is trying to get in or out... if your ISP modem can't do bridge mode, then it simply means that your connection will be double-NAT'ed... that means that you'll have a RFC-1918 address on your firewall's WAN port and it'll be handing out addresses and managing connections for another (set of) RFC-1918 addresses... it isn't a big deal but it can really hamper some tasks... granted, this means having another machine running as well as having another switch/hub or two or three but this is a huge sight better than relying on those black boxes the ISPs give you or that you purchase at Best Buy or Circuit City or other similar places that sell electronics... i'll never set up another network without a perimeter firewall... ever... )\/(ark Always Mount a Scratch Monkey Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong... ... Thou shall flirt shamelessly with all members of the opposite sex. ---* Origin: (1:3634/12.73) SEEN-BY: 15/0 18/200 19/36 34/999 90/1 116/18 120/302 331 123/140 128/2 SEEN-BY: 153/7715 218/700 220/60 222/2 230/150 152 240/1120 250/1 261/38 100 SEEN-BY: 266/404 512 267/155 275/100 280/1027 282/1031 1056 1060 291/1 111 SEEN-BY: 320/119 219 340/400 342/13 393/68 396/45 633/267 280 640/384 712/620 SEEN-BY: 712/848 770/1 801/161 189 2320/100 105 3634/12 5020/1042 @PATH: 3634/12 261/38 712/848 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.