First, thanks to everyone for the education. I've learned more about
Cisco access lists, and setting up firewalls in general, over the past
week than I have over the past year.
I need an opinion about how important it is to know who's banging on
the gate -- regardless of whether they get in or not. What we're
considering setting up at the site in question waxes between an installation
where we can record the headers of all packets refused, and one where we
don't. If we don't care who knocks, then the installation is trivially
easy: we can just set up a Cisco IGS as the Internet interface, and filter
the packets coming out of the IGS and into the local network ( managed by
the AGS+ ).
If we *do* care, then (1) won't IP ACCOUNTING record source and destination
addresses of packets, if we, say, leave ICMP replies on? and (2) if we have
to do something more complicated than just setting up an IGS, what options
are there? We'd prefer not to not have to kiss a resource like a Sun
workstation goodbye -- which we'd have to do if we were going to run the
Internet interface into one.
But, there's already been a decision not to dedicate a PC to the task; it's
the machine of choice, somehow, for the user community. We'd either have to
toss a Sun to the task, or an IGS. If we decide to care who is trying to get
in, what has to be done to set up a filtering router on it so that we can
capture headers ?