Only one problem: blocking incoming server connections breaks clients and protocols. FTP uses incoming connections for client transfers of files. ICQ, AIM and MSN all use incoming connections to client computers for direct chat. Firewalling like that should only occur at the edges, not in the backbones (which is what the ISP is from the end-user's POV). That way the end user can select firewall settings that work. Just remember, the rules that work for a single attached computer don't neccesarily work for an attached LAN NAT'd through a router.

OTOH, ISPs should be doing technical filtering such as dropping packets with addresses that couldn't possibly be on the other side of the interface they arrived on. Address-based ingress and egress filtering should be standard at the ISP level.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/241/26204#26204