> You need to add a permit line for your static address pool as well. I
> mentioned this in my note quoted above.
I ended up using a different filter, that addresses my problem
more directly. I have lots of dialup address space, and anybody
could endup on any portmaster. I restricted the scope of my filter
to preventing packets destined for the portmaster from leaving.
It also blocks reserved networks. My border router blocks spoofed
traffic from leaving my network. It would be nice to have a filter
that could be applied onto a dialup port that would block source
addresses other that ones assigned to the port without having to
have a different filter for each customer.
add filter e.out
set filter e.out 1 deny 0.0.0.0/0 206.124.x.x/26
set filter e.out 2 deny 127.0.0.0/8 0.0.0.0/0
set filter e.out 3 deny 10.0.0.0/8 0.0.0.0/0
set filter e.out 4 deny 172.0.0.0/12 0.0.0.0/0
set filter e.out 5 deny 192.168.0.0/16 0.0.0.0/0
set filter e.out 6 permit
set ether0 ofilter e.out
save all
-- David Denney | D i m e n s i o n a l C o m m u n i c a t i o n s | daud@dimensional.com | Shell & PPP * $25/mo 33K/56Kbps * $50/mo 64K ISDN | 303.285.INET voice | http://www.dimensional.com/ info@dimensional.com | 888.3.DIMCOM tollfree | Denver * Boulder * Longmont * Bailey * CO Springs |protect your freedom, while you still can, finger me for PGP key, use it!
- To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message. Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>