Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Filtering Source Addresses on gw-internet

  • From: Jon Lewis
  • Date: Tue Aug 12 16:51:21 1997

On Tue, 12 Aug 1997, C. Jon Larsen wrote:

> 
> Thats what I thought at first. But if the permit comes first, then packets
> with valid source addresses (a.b.c.d) get out because they pass that rule.
> 
> So a packet built like:
> 
> Source-> a.b.c.d  Dest-> 172.17.0.0
> 
> will get out and be passed to the ISP, wasting bandwidth. Thats why I deny
> them first, and then do the permit later on in the list. 

Ah...I wasn't reading your rules closely enough.  As a trick to reduce
access-list length on my internet gatway, I nailed up static routes like:

ip route 208.215.0.0    255.255.240.0   null0 250
ip route 205.229.48.0   255.255.240.0   null0 250
ip route 10.0.0.0       255.0.0.0       null0 250
ip route 172.16.0.0     255.240.0.0     null0 250
ip route 192.168.0.0    255.255.0.0     null0 250

The first two are our netblocks.  The rest just stop packets for the
"private IP" nets from leaving our network.  I also have access-list rules
that prevent them from entering our network.  I'm assuming here that route
cache hits are faster than access-list testing.


------------------------------------------------------------------
 Jon Lewis <jlewis@fdt.net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.