> Hmmm... my greatest fear, without the advantage of researching this, is if
> you block all packets to the portmaster are you in fact blocking your
> customers access from the net? Obviously the answer to that question is
> no, but at the risk of international embarrassmentm how do you set the
> filter up that way?
I've been doing this with terminal servers for years. Packets to/from
your customers don't have the terminal server IP's as either source or
dest, so it's not a problem. The only disadvantage is a line os *'s in
traceroutes into your network. i.e. from a remote account:
8 112.Hssi4-0.GW1.JAX1.Alter.Net (137.39.59.245) 119.49 ms 126.485 ms 114.399 ms
9 fdt-gw.fdt.net (205.229.48.1) 139.95 ms 124.405 ms 135.238 ms
10 * * *
11 fubar.fubar.fdt.net (205.229.49.241) 328.921 ms 295.096 ms 323.576 ms
Very few people have complained about this.
fdt-gw has some access-list rules that disallow packets not from our
netblocks going out to a small "subnet" of the /24 we use for our main
ethernet in which we number the terminal servers or any other boxes we
don't want accessible from the net. I have 3 linux term servers a PM2ei
and a multiport linux router in that restricted block. The linux router
may have to be moved as I'm considering doing some IP Masq on it, which
would require it to talk to the net.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
________Finger jlewis@inorganic5.fdt.net for PGP public key_______