Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cisco 2611 as a firewall?



Scott Stone (SStone@example.com) wrote:

> well Jonathan, yes and no.... a border router would theoretically be paired
> with a firewall and/or a core router, at an ISP, but this seems like a very
> small-scale ISP on a limited budget.  You don't *necessarily* want to allow
> all traffic in.

I also suspect that this 2611 will be the only router, but then you
essentially *must* let all traffic in, because your dial pools 
need that.  Unless they tell their customers up-front that they
won't be able to play their favorite online game or do pretty 
much anything else, there'll be a lot of unhappiness.  If they
do tell them that, the unhappiness will be at the ISP, 'cuz there
won't be any customers.

About the only thing they can do there is - if they have a 
no servers TOS for dial-up - is to filter ports < 1024 to the
dial pools.  

So while they could do some basic firewalling on the 2611, as
we've both pointed out, it's not a great idea.  And we haven't
asked yet if they plan to take a partial BGP view (stuff that
2611 with memory and sleep near the phone!) or if they're just
going to run a static route to their bandwidth provider.  I'd also
favor two 768K links to two different upstreams over two different
carriers.

> Especially considering that a C2611 has *two* ethernets plus the capability

It does, but routers should route, and run some access lists, especially on
a capable but not super powerful router.  Yeah, this solution may be better
than nothing if this ISP has no money whatsoever (possible), but a
real, stative firewall in front of the boxes that need protection would
stand them in better stead. 


> oh and you could block the AOL IM ports there too, if you wanted to be
> evil[1]
> 
> [1] who doesn't?

:-)  Really, though, any ISP that wants customers can't go around
filtering instant messenging.  Besides, it would be lots more fun
to filter MS stuff :-)

Jonathan


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links