On 8/11/05, Don Munyak <don dot munyak at gmail dot com> wrote:
> We have a cisco 1720 border router curently configured to do nothing
> but route packets. No filtering. I have been thinking about putting an
> "INGRESS" acl list on the serial link to block bogus inbound packets.
> 

If the router has CPU power to spare (a 1720, assuming a full T1,
should have the power to spare unless you get really crazy with the
ACL's), it's not going to hurt anything.  It can become difficult to
manage if you do much more than some minimal bogon filtering on the
router.



> 
> But instead of applying an "EGRESS" acl to the same cisco serial link,
> I was thinking of entering these filters to the LAN & DMZ link of
> m0n0wall. 

You could do that as well.  


> I am thinking that if some rogues application is trying to
> phone home, 
> 

by using an invalid destination IP address?  That'll just end up
getting dropped by your ISP anyway because it doesn't know where to
route it.  It certainly wouldn't phone home to anything, unless
someone hostile has taken over your ISP's network (in which case this
wouldn't buy you anything anyway).


> by applying the filter to the m0n0wall link(s), I can see
> which local host is passing the bad packets. Or would I just apply the
> filters to the WAN link?
> 

Only filters inbound to the interface, so it'd have to be on the LAN
and DMZ interfaces if you're egress filtering.

-Chris