On 2023-07-27, Polarian <polarian@polarian.dev> wrote:
> Also I pay for A&A for a reason, they are the most reliable ISP in the
> UK, and I do not think that is up for debate.
it is up for debate, their newer LNS are still rather crashy, it's
fairly easy to trigger their "portsuspended" thing and knock users
offline, and their peering/transit ports are relatively low capacity
compared to many ISPs so they're more easily affected by DoS.
imho the main reason for paying their premium is if you specifically
need features which they offer that others don't (e.g. the multi line
balancing/fallback options can be handy sometimes, and they're one of
a small handful of UK ISPs who will do "bring your own provider
independent IP block and we will route it").
if things like that aren't needed there are other ISPs who are also
equally good (and better for some things) who are often a bit less dear
(though most of those start getting expensive if you want decent size
routed blocks, which a&a don't specifically charge for).
> Besides, I do not know if it is good or bad practice, but when I was
> writing my rules I did not like using "any" and would prefer to specify
> specific blocks. If something weird happens I would rather the packet
> dropped rather than go through an "any" filter.
beware the implicit default rule if no others match is "pass flags any
no state" so in nearly all cases you do want a "block any" or "block log
any" to catch those.
> Maybe it could be caused by the use of alias over just plain inet? Is
> there hidden logic behind the use of alias?
it's not that - for IPv4, using just plain "inet" overrides the existing
address; you need "alias" to add more than 1 address to an interface.
(it's different for IPv6).
> Any suggestions to what I can try?
not really from just a written description. something might come to
mind if I see ifconfig -A, pf.conf, netstat -rnfinet, not sure though.
--
Please keep replies on the mailing list.
----- End forwarded message -----
No comments:
Post a Comment