> My week for questions on filters I guess. But, in the above filter
> setup, if you have customers that call in that are assigned static IPs or
> customers that are assigned subnets, it won't let them out will it?
I'm using the following:
Command> sh filter ether0.out
1 deny 0.0.0.0/0 205.229.60.32/27 ip
2 permit 205.229.48.0/20 0.0.0.0/0 ip
3 permit 208.215.0.0/20 0.0.0.0/0 ip
4 deny 0.0.0.0/0 0.0.0.0/0 ip
The logic above is that 205.229.60.32/27 is the assigned pool...so packets
destined for it should never leave via ether0. The next 2 lines allow
packets using source addresses from either of our 2 IP blocks out
ether0...so static IP and network connections work. Anything else is
denied. This is imperfect in that it allows customers to IP spoof using
our own addresses, but it stops the bouncing problem and prevents the sort
of spoofing most people will try.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>