I am hoping someone can help me understand something here. I am in the process of configuring a new router, RB433, to act as our “external” router. The previous router, RB230, had a HUGE list of accepted and denied addresses. By huge, I mean hundreds of them. I am detesting the thought, and questioning the need, to transfer all the rules over to the new router.
I am just curious if there is a “set” list of addresses that should be put into a new firewall initially, and then others added as time goes on? It almost seemed like the previous administrator had blocked everything, and then bit by bit opened it up as needed.
If my opinion the previous administrator was doing it exactly right. Trying to maintain a list of bad IPs is equivalent to ‘blacklisting’, which is when you allow all traffic by default and state what traffic is bad and should be thrown away. That is a model that never scales. You’re always playing catch up. The better way to go is ‘whitelisting’, where you by default drop all traffic, and state what traffic is allowed through.
You can use Google to find lots and lots of discussions on why blacklisting is a losing proposition. The last statement of any firewall ruleset should be an unequivocal drop, and before that drop you specify all the traffic you want to let through. Often that is done by protocol when you’re forwarding traffic through the router, for traffic terminating on the router (the ‘input’ chain) it’s nearly always blocks of IP addresses that are allowed management access to the router, or have services provided to them by the router.