> Many moons ago, while trying to protect my network from various intrusions
> (such as nfs mounts, etc), I started banging away at route filters that
"route filters" are generally things to filter which routes are accepted
and from where. That isn't exactly what you are doing. ComOS only has
very, very limited route filtering control.
...
> My thinking was to apply this filter to only a subset of my class-c,
> rather than entering a seperate rule for each one of the machines I wanted
> to protect. The IP address range of my UNIX machines really didn't fall
> within the bounds of a traditional subnet, so I decided to do something
> like the following:
>
> 15 deny 0.0.0.0/0 XXX.XXX.XXX.10/28 etc, etc
>
> My thinking was that I could arbitrarily set the network number (sort of
> like a VLSM) to 10 and have it match .11-.24 for all the filter rules
> using the above convention. Sort of like a "start here and count up". Now
> that I'm refreshing my stale knowledge of subnetting, I am beginning to
> wonder if that may have been a bad choice.
That is wrong. That should match 0-15. The "10" you supplied should be
ignored because it falls out side the mask (or it could create a rule
that can't match anything). Either way, you should never specify "extra"
bits, and many other routers refuse to add filter rules like that, because
they don't make sense.
Here's how filters are matched to networks: the mask is binary ANDed to
the address of the packet, and compared to the filter, if it the same it
matches.
Tom
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.