Date: Wed, 24 Apr 2024 11:00:57 -0700 From: Gregory Shapiro <gshapiro@freebsd.org> To: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> Cc: freebsd-net@freebsd.org Subject: Re: Source IPv4 address selection vs BGP IX connection Message-ID: <3exr7zmcxnfxuofbyf57gdbzxxrgntprydeesbjsparq3xgeri@p4irynwruq7f> In-Reply-To: <202404241742.43OHghWB055177@gndrsh.dnsmgr.net> References: <xrxvyz6h3t45tfbqxag2ueqe6ocg2myxhdg7kqsbjx6czj4xeo@jqwioylxcb2c> <202404241742.43OHghWB055177@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> The mistake your making, IMHO, is that an IX connected eBGP FreeBSD > router _SHOULD NOT_ be doing ANYTHING other than BGP on the IX > connected interface, and anything like DNS and outbound SMTP should be > going inward on the AS, not outward to the internet. Fair point and thank you for the advice. I am locking it down to an extent (denying all inbound ports except 22, 179 from an ipfw table list of trusted hosts/peers/upstreams/downstreams) but not as tightly as you suggest as I do use some on-Internet services. Specifically, port 25 to my own mail server (not unwashed Internet service, but sitting off of a different network) for system generated mail (cron, /etc/periodic/ script output), 53 to admittedly "unwashed" Google DNS, and 123 to FreeBSD's NTP pool (again "unwashed" to an extent). I will look at using local instances for the latter two. I still see value in source IP selection, even outside of the IX use case.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3exr7zmcxnfxuofbyf57gdbzxxrgntprydeesbjsparq3xgeri>