2018-11-16

Pursuing the Mature Firewall

Firewalls are an evolving process in the network. A while back I was a single IP out there with a high capacity modem and gigabit router.

My needs ultimately became the 5 node monstrosity I have now which lends it self to attack on each of those fronts.

Keeping the bad people out of my stuff is now one of my top considerations. This stems from the rather harrowing adventures in long reading I undertake as an aspect of daily operations.

A little thought ahead of blind blocking has gone a long way to streamline my rule set and keep you from falling into the pit of having to revamp everything when you discover that the bulk of your problems come from limited networks.

Firewall    
My recent rebuild has left me with everything commented and those regions I know give me the most trouble being identified and curtailed from access.

I orginally blocked seven Class A nets because they were from regions I knew were rife with exploits. That number has grown and now I keep much of Europe and Asia at bay.

The fact that China and other problem traffic buy space in domestic networks to sidestep my firewall doesn't do much other than slow down the process because my daily log reviews have been getting those too.

What used to be a gazillion or so subnets has been greatly reduced by going for the Class A roots of all evil in my environment. I just wish they would forget about me, but you can tell they haven't when I rebuild the rules because there they all are hitting my servers with wild abandon.

They've pretty much kept up with the address changes quite well.

The moral of the story is don't go crazy with that new fangled firewall you bought then hurriedly decided to put to work. Think about where those threats originate and how much easier a few rules are to manage compared to a hundred thousand or so.

In my defense all I can say is I'm well over 25 years getting to this point so all I can really do is give you a nice duh and plead ignorance.

HOWEVER, I've never been one to just sit back and take exploit attempts and hacks without preemptive strikes to eliminate them. This is where I am and it works nicely.