Re: Filters

Greg Merrell (greg@netuser.com)
Wed, 25 Oct 1995 07:31:50 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mark Conway Wirt: "Inter-SLIP users"
Previous message: Arno Griffioen: "Re: Portmasters and SNMP..."

Leo Savage <leo@esva.net> wrote:
>I have a suggestion regarding filters. Perhaps you already do this and
>I've simply overlooked it.
>
>Suppose there is something I don't want anyone to be able to do. Perhaps
>(just pulling an example out of the air) I don't want anyone to ever
>telnet to my Portmaster, or whatever. No matter where they are coming in
>or where they are going out, there's some "thing" I don't want anyone doing.
>
>Right now I have to put the appropriate rules in the filters for my WAN
>port, my ethernet port, and every one of my user filters. How about a
>"global filter" that everything runs through?

I suspect that's not what you really want. What I think you want is actually a
filter on the virtual terminal ports on the PM or 'the box itself' instead.
Here's why I think that.

Let's say that you want to disable anyone from getting to the virtual terminal
ports from anywhere. So you create your 'global filter' that disables port 23.
But as a side effect, it also prevents through traffic from the dialup users for
any outbound port 23 destination. Seems to me like most people would find that
an undesireable side effect.

In addition to the telnet port on the box, I could see a desire for SNMP, ICMP
ports (for ping and traceroute), portmaster protocol, and maybe others that
don't jump out at me.

Greg

=========================My return addresses are==============================
Greg Merrell Internet: greg@msm.com
MSM Company Internet Services Voice: +1-408-253-0970
Cupertino, CA Fax: +1-408-253-0590
==============================================================================

Next message: Mark Conway Wirt: "Inter-SLIP users"
Previous message: Arno Griffioen: "Re: Portmasters and SNMP..."