>
> On Thu, 30 Nov 1995, John-David Childs wrote:
>
> > On Fri, 1 Dec 1995, Justin McErlain wrote:
> >
> > > Hi all,
> > >
> > >
> > > our domain 202.37.101 (mac.co.nz)
> > > adjacent site 132.181.30.3 (cantva.canterbury.ac.nz)
> >
> > If I remember correctly, the "rule" of filters is:
> >
> > "That which isn't expressly granted is denied".
> >
> > Thus, you may want to put an ALLOW statement first, then DENY what you
> > don't want them to do.
> >
>
>
> Assuming all you want to do is block certain PPP/SLIP users from
> telnetting directly from their host to the destination in question (too
> many gamers, eh?) this should work:
>
>
> (relevant SLIP/PPP interface ifilter)
>
> set filter foo 1 deny tcp 0.0.0.0/0 132.181.30.3/32 src eq 23
> set filter foo 2 permit tcp 0.0.0.0/0 0.0.0.0/0
> set filter foo 3 permit udp 0.0.0.0/0 0.0.0./0
> set filter foo 4 permit icmp 0.0.0.0/0 0.0.0.0/0
>
>
> You may have forgotten that there is an implied "deny all" rule
> at the end of every filter set. The above is a "permit by default"
> type of filter, which you may or may not want to use.
>
>
> BTW, I have never tried to use domain names in filter rules,
> but even if it works, it's a bad idea. Opens up another avenue for
> attack by subverting DNS, and can't help performance either.
>
>
> ------------------------------------------------------------------------
> David Carmean WB6YZM DC574 dave@west.net
> System/Network Administrator, WestNet Communications, Inc.
> PGP Key Fingerprint: CD 1C C1 15 3E E3 1D 41 ED C2 3E A8 D6 29 BD C4
> ------------------------------------------------------------------------
>
>
-- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer@c2.org