Question:
Why is it that every company out there allows connections through their
firewalls to their web and mail infrastructure from countries that they
don't even do business in. Shouldn't it be our default to only allow US
based IP addresses and then allow others as needed? The only case I can
think of would be traveling folks that need to VPN or something, which
could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still
seem to be in the wild west, but no-one has the b@lls to be braven and
block the unnecessary access.
Why is it that every company out there allows connections through their
firewalls to their web and mail infrastructure from countries that they
don't even do business in. Shouldn't it be our default to only allow US
based IP addresses and then allow others as needed? The only case I can
think of would be traveling folks that need to VPN or something, which
could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still
seem to be in the wild west, but no-one has the b@lls to be braven and
block the unnecessary access.
maybe because those godless communist sexually deviant vicious perverts
out there in the rest of the world are damned hard to differentiate from
the sexually deviant vicious perverts we have in our government?
and there money is still good. you may want to look at the balance of
trade and worry about the opposite flow.
sheesh!
randy
Dear Mr. Shadow,
Your previous employer, Mr. Lamont Cranston, has recommended you for
consulting work with our US office. This would allow you to work 20
hrs/week from home. Our need is such that we would be willing to offer
you up to 150.000 euros/yr (~$197,970.12) as a non-exclusive retainer
for these services. Please respond at your earliest convenience.
We were particularly impressed by what we saw on your Web site.
Oops, but you missed that because you only allowed provincial mail in.
And didn't let them see your Web site.
> Why is it that every company out there allows connections through their
firewalls to their web and mail infrastructure from countries that they
don't even do business in. Shouldn't it be our default to only allow US
based IP addresses and then allow others as needed? The only case I can
think of would be traveling folks that need to VPN or something, which
could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still
seem to be in the wild west, but no-one has the b@lls to be braven and> block the unnecessary access.
Most people inherently know the answer to this, but I figure I might as well answer the question since it was asked.
It is the way it is, because the internet works when it's open by default, and closed off carefully. (blacklists, and the such) Would email have ever taken off if it were based on white lists of approved domains and or senders? Sure, it might make email better NOW (maybe?) but in the beginning?
Block the few bad apples, and generally allow everything else by default. (but allow it carefully) It works for the web, email, airport security, and society in general (mostly open, free... unless you're a Bad Guy Criminal Type).
No one is smart enough to be a central planner, and know where the bad is, all the time. And no one is smart enough to predict who/where the "good" is. That's why open by default (with careful security to screen out the "bad") generally works the best. Chase down the "bad", and assume (correctly so) that the rest is "good."
Same concept applies to why we have police that chase criminals, rather than just throwing everyone in prison by default and making them prove that they're worth of being free.
-Jerry
I can't quite tell if this is a troll or legit question. Had I not just gone through this same debate with someone else who was serious about it, I would have assumed the former. 
1) There is no 100% accurate list of what country the assignee of an IP address is. Through our own experiences, the best geotargeting databases are less than 90% accurate at the country level.
2) Even if you were able to 100% accurately list what the country of origin each allocation is, that still doesn't mean you can determine where the system is itself. Out of one /16 allocation it's not uncommon to see chunks of it deployed in several countries. Multinational countries may forward all of their outgoing mail to one or two large servers in a different country than the sender/recipient is in.
3) Even if you can get around #1 and #2, nothing stops the "bad guys" from connecting to a host in your country and forwarding whatever attack they want from there.
4) Even if you can get around #1, #2 and #3, legitimate accesses from people in your country may go through servers in another country. (Non-US users using Gmail for example)
5) Even if you're positive that the above 4 don't matter, you're talking about a HUGE number of firewall entries. In our current geotargeting database, collapsing all known US allocations into as big CIDR blocks as possible while still leaving out uncertain/unknown blocks, that still ends up with around 1,800,000 firewall rules to allow only known US IP addresses. Working off a blacklist isn't much better. If you don't like Canadians, you're adding 80,000 rules. If you want to keep the Chinese out, that's 155,000 rules. If it's British hackers you're concerned about, you've got 308705 distinct IP blocks to ban.
6) Allocations change constantly, how are you keeping this list updated?
7) What about open proxies, botnets, or other nasties inside the "good" countries?
8) The first time your CEO loses an email from his daughter while she's on vacation to Singapore, you're going to have to remove all of this.
Why is it that every company out there allows connections through their
firewalls to their web and mail infrastructure from countries that they
don't even do business in. Shouldn't it be our default to only allow US
based IP addresses and then allow others as needed? The only case I can
think of would be traveling folks that need to VPN or something, which
could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still
seem to be in the wild west, but no-one has the b@lls to be braven and
block the unnecessary access.
I assume you want this:
http://geekculture.com/joyoftech/joyarchives/446.html
Most "unnecessary access" I see seems to be coming from US-based IP addresses anyway. A Great Firewall Of USA would certainly reduce the amount of spam I get 
Hear Hear!
It'd be amazing how much easier my mail handling life would be if I could blindly drop *.comcast.net without worrying about collateral damage.
(Some years ago I had to ring an ISP in the US - and i'm in NZ - and ask them by _phone_ why they appeared to be filtering connections from here to their web server, despite the fact we were one of their customers. Turns out that they had inbound filters applied to 202/8. Whoopsie?)
Mark. (Its the Internet, not the USofA-net. Damnit!)
Jerry Pasker wrote:
It is the way it is, because the internet works when it's open by default, and closed off carefully. (blacklists, and the such) Would email have ever taken off if it were based on white lists of approved domains and or senders? Sure, it might make email better NOW (maybe?) but in the beginning?
There was an experiment on this. It's called X.400.
Pete
I think the better answer is: "your network your choices, my network my
choices"
And then I can refuse to read anything that comes from the US. After all, the pharma spam is clearly targeted on US residents. But what about all the Alice.it/Telecom Italia spam? Killfile the whole country, clearly. And the Chinese porno spam? And the Russian hackers?
I remember there used to be something called the Internet…