nanog mailing list archives
Re: Filtering Source Addresses on gw-internet
From: "C. Jon Larsen" <jlarsen () ajtech com>
Date: Tue, 12 Aug 1997 15:29:55 -0400 (EDT)
Thats what I thought at first. But if the permit comes first, then packets with valid source addresses (a.b.c.d) get out because they pass that rule. So a packet built like: Source-> a.b.c.d Dest-> 172.17.0.0 will get out and be passed to the ISP, wasting bandwidth. Thats why I deny them first, and then do the permit later on in the list.
On Tue, 12 Aug 1997, C. Jon Larsen wrote:gw-internet#show access-lists 120 Extended IP access list 120 deny ip any 10.0.0.0 0.255.255.255 log deny ip any 172.16.0.0 0.0.255.255 log deny ip any 172.17.0.0 0.0.255.255 log deny ip any 192.168.0.0 0.0.255.255 log permit ip a.b.c.0 0.0.0.255 any (27429 matches) deny ip any any logAren't the first 4 deny's redundant? Using access-lists, I was under the impression, there was an implicit deny at the end, such that all you'd need is a single permit line above, and optionally the last deny so you get to log violations. ------------------------------------------------------------------ Jon Lewis <jlewis () fdt net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
Linux. +-------------------+---------------------+ | C. Jon Larsen | jlarsen () ajtech com | | Systems Engineer | Tel: 804.353.2800 | | A&J Technologies | | |-------------------+---------------------| | http://www.ajtech.com | +-----------------------------------------+
Current thread:
- Filtering Source Addresses on gw-internet C. Jon Larsen (Aug 12)
- Re: Filtering Source Addresses on gw-internet Greg Ketell (Aug 12)
- Re: Filtering Source Addresses on gw-internet C. Jon Larsen (Aug 13)
- <Possible follow-ups>
- Re: Filtering Source Addresses on gw-internet C. Jon Larsen (Aug 12)
- Re: Filtering Source Addresses on gw-internet Jon Lewis (Aug 12)
- Re: Filtering Source Addresses on gw-internet Greg Ketell (Aug 13)
- Re: Filtering Source Addresses on gw-internet Greg Ketell (Aug 14)
- Re: Filtering Source Addresses on gw-internet Jon Lewis (Aug 15)
- Re: Filtering Source Addresses on gw-internet Tony Li (Aug 15)
- Re: Filtering Source Addresses on gw-internet Jon Lewis (Aug 15)
- Re: Filtering Source Addresses on gw-internet Greg Ketell (Aug 12)