I have been advised that I firewall a lot of people who wish to gain access to my assets on the web.
These few have indicated that "public facing" should not include firewalling of those seeking access.
WHell ... I beg to differ. Once you are caught in the logs attempting to exploit my assets from the web the subnet upon which you operate gets a CIDR level block in my firewall.
This means you and any others on the same subnet from which you attempted exploit cannot get to the assets anymore.
Though it is not a "policy" per se I do not usually remove a block unless the offending party contacts me and explains themselves.
Even then restoring access is a highly conditional affair recorded in desktop lists and can be revoked at the drop of a hat.
So no, I am not one with whom to trifle when it comes to my stuff and your exploits. The only people not automatically and immediately firewalled upon the first exploit are those in my service area.
They receive additional "consideration" in the form of me contacting their ISPs and upon my review will either be firewalled or not and I'm not sitting here on pins and needles fearing any exploits because I have multilayered security protocols in place where if the firewall dosen't get you the other things will.
People in general are welcome here. Those without access share a subnet with a purveyor of exploits. I'm not in the business of tracking down the various avenues available to an individual attempting exploit. I check the network parameters and all IP addresses they may engage are gone. Just like that.
These 'colocation' anuses are the most fun. They don't think I won't backtrace every connection when I will.
I even firewall entire ASIN groups when I feel it's indicated. If you're not in my service area you are not significant to my existence unless you make yourself so. I will open the firewall upon request and deal with exploits from that subnet separately.