>
>
> On Tue, 24 Feb 1998, Doug Ingraham wrote:
>
> > the ethernet interface that fixes it perfectly.
> >
> >
> > add filter e.out
> > set filter e.out 1 permit Assigned_Address/27
> > set filter e.out 2 permit Ether0_Address/32
> > set filter e.out 3 deny
> > set ether0 ofilter e.out
> > save all
> >
> >
> > Where the Assigned_Address is that portmasters Assigned Address pool and
> > Ether0_Address is the host address of that portmaster. I will usually
> > test the filter by replacing line 3 with permit log instead of deny. If
> > you want to see what you are denying you can use deny log for line 3. You
> > need two permit lines on a PM-3 for the Assigned pool and if you are using
> > Radius to allocate static's or routing networks you need to permit those
> > as well.
> >
> > It is notable that you don't even need a DOS attack to notice bouncing
> > packets. They can come from web servers that like to push things at your
> > customers after they have disconnected for many minutes. I have seen this
> > go on for 11 minutes when I was investigating it.
> >
> > In any case, this is a perfectly acceptable workaround and does the job
> > almost as well as having it built in would.
> >
>
> My week for questions on filters I guess. But, in the above filter
> setup, if you have customers that call in that are assigned static IPs or
> customers that are assigned subnets, it won't let them out will it?
You need to add a permit line for your static address pool as well. I
mentioned this in my note quoted above.
> As I stated last night, I usually set a static route in the PM3 with a
> metric of 15 that routes to an ip address where nothing is.
>
> For example a PM3 ether0 addr at 192.168.1.1 with assigned pool address
> 192.168.2.16 pool size 48 or whatever.
>
> I add a route like so:
>
> add route 192.168.2.0/24 192.168.1.3 15
>
> 192.168.1.3 is just an empty hole, there is nothing at 192.168.1.3 at
> all.
>
> Is there any problem with doing it this way, will it solve the above
> problem and not cause problems? I'm not arguing the best way to do
> anything, just wanting to make sure what I am doing is OK. I put this on
> each PM3 that is running OSPF to cover the assigned pool.
I prefer the filters because it stops the packets from bouncing and
prevents our customers from initiating certain types of denial of service
attacks. By blocking packets from leaving a portmaster that couldn't have
originated from that box a devious dialup customer has a very limited
range of addresses he can pretend to be and they are all legit addresses
inside your network. So you have a much easier time figuring out who it
is if you get a naughty customer. If they are smart enough to even figure
out what addresses can be used they are usually smart enough to not try it
because they realize they will get caught. The ones that just try it
anyway never realize that their efforts never even leave the portmaster.
This is probably a discussion best left for another list.
Doug Ingraham From the Ferengi Rules of Acquisition.
Rapid City, SD #34 "Peace is good for business."
USA #35 "War is good for business."
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>