[112652] in North American Network Operators' Group
Re: Dynamic IP log retention = 0?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Mar 12 12:31:20 2009
To: Marcus Reid <marcus@blazingdot.com>
In-Reply-To: Your message of "Wed, 11 Mar 2009 07:53:01 -0800."
<20090311155301.GA99262@blazingdot.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 12 Mar 2009 12:31:03 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1236875463_3751P
Content-Type: text/plain; charset=us-ascii
On Wed, 11 Mar 2009 07:53:01 -0800, Marcus Reid said:
> A quick scan of the reverse mapping for your address space in DNS reveals
> that you have basically your entire network on public addresses. No wonder
> you're worried about portscans when the printer down the hall and the
> receptionists machine are sitting on public addresses. I think you are
> trying to secure your network from the wrong end here.
You *do* realize that "has a public address" does not actually mean that
the machine is reachable from random addresses, right? There *are* these
nice utilities called iptables and ipf - even Windows and Macs can be configured
to say "bugger off" to unwanted traffic. And you can put a firewall appliance
inline without using NAT as well.
--==_Exmh_1236875463_3751P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFJuTjHcC3lWbTT17ARAgL4AKD0rj/2kB4UYIsEZ4ZXkWo/F9MCjQCg2bVL
x6ZnAfB8u5SIdLXam/by7ys=
=uOeK
-----END PGP SIGNATURE-----
--==_Exmh_1236875463_3751P--
