We're considering a firewall design that combines a screening router with a
dual-homed bastion host running application-level gateways. We recognize the
need to configure the router to reject spurious messages e.g., spoofing
attempts (ala Cert).
My question is as follows... Is it still necessary (or advisable) to also
configure the router to reject messages that are directed to potentially
dangerous ports, even though no proxies corresponding to those ports exist
on the bastion? For example, if tftp is not running on the host, is it still
necessary to block UDP Port 69 on the Screening Router? Thanks.