Re: The "not long discussion" thread....

["Christopher L. Morrow" <christopher.morrow () mci com>]

On Wed, 27 Apr 2005, Jerry Pasker wrote:
> Christopher L. Morrow allegedly wrote:
>
> > This, it seems, was an unfortunate side effect (as I pointed out earlier)
> > of legacy software and legacy config... if I had  to guess.
>
> You guess wrong.  See the above.  And don't pass judgement. (am I
> being sited for lack of clue?  It kind of feels like it)  It wasn't a

no lack of clue meant, just pointing out one possible cause of the acl
usage. I don't think I saw the original reasoning in the original email.

> *BAD* thing, it was a *GOOD* thing.  It made things better, not
> worse.  I still may go back and re-implement port 53 blocks in the
> future if I find a good reason to. I know now that it doesn't really
> cause operational problems.  At least not in a smaller ISP
> environment.  Would I want a transit network to block TCP 53?  Of
> course not.  But my end customers request those types of services
> regularly, so I try to provide what they want.

Sure, this is a form of 'managed security services' and the custommer (and
you) agree to that policy change.

> And don't think I'm coming off as all ticked off and defensive.  I'm
> not ticked off, I'm actually enjoying this.  As for being defensive?
> Maybe.  I'm trying hard not to be though.  I really can't help
> myself........I have this lurking fear that I'm being tossed in to
> the "clueless block TCP 53 with an outsourced firewall, and don't
> know what I'm doing beyond that" group that I so despise.  ;-)
> Especially on this list, full of people that I have so much respect
> for.

either way, it was just one possibliity of many for the acl to be there,
nothing more :)

> good of the group, and therefore, worth it.  And I still think that.

excellent, it probably helps Patrick, the world-nic  folks and others as
well :)