SLUG Mailing List Archives
[SLUG] Re: [Oz-ISP] Internet connection curiosity (further)
- To: Howard Lowndes <lannet@xxxxxxxxxxxxx>, Mail List - Oz-ISP <aussie-isp@xxxxxxxxxx>
- Subject: [SLUG] Re: [Oz-ISP] Internet connection curiosity (further)
- From: John Allan - Lists <johna-lists@xxxxxxxxxxxxx>
- Date: Mon Oct 23 14:39:48 2000
- Cc: Mail List - SLUG <slug@xxxxxxxxxxx>
Someone suggested (I forget who, but tks all the same) that it might be a
defrag problem so I went to look at the firewall logs and indeed there
were ICMP defrag packets, but from RFC1918 addresses, so they were being
blocked by the firewall.
I have a strict firewall policy of blocking any packet with an RFC1918
address, whether source or destination, or an inbound packet with a source
address from the site assigned IP block, or an outbound packet to a
destination address from the site assigned IP block.
Which is a good idea.
I am aware of an ISP who runs all of their router interfaces using
point-point links (where you or I would just throw a /29 or /30 at it and
be done with it) on RFC1918 address space. They don't think this is a
problem. I do. Same sorts of problem.
Most backbone providers block RFC1918 addresses at various points along the
way. Solution is to tell those people who have put in kludges to fix them.
My question is: Should I stick with that strict policy, or am I safe in
relaxing it for ICMP messages just to suit inconsiderate ISPs who refuse
to comply with RFC1918?
IMHO no. Other less-relaxing-than-you backbone providers will block this
traffic anyway - so you allowing it will only fix the problem where the
source of the private address space is close enough to you that there isn't
a sink hole in the middle.
Seen this same problem before anyway. Only solution is to "fix" it. :-)