North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SYN floods continueg
I was talking about a different filter. The one I listed was designed to prohibit someone at an exchange point from using our network for transit. I agree, you'd want to do what you describe to prevent IP spoofing. Avi > >>>>> "Avi" == Avi Freedman <[email protected]> writes: > > Avi> This is actually an incoming filter... > Avi> acc 102 permit ip any 198.138.103.0 0.0.0.255 > > Ummmm.... disclaimer, I'm not an expert on this, but according to my > understanding of how Cisco access lists work, the incoming filter you > showed actually does nothing at all. The normal situation is that > packets are coming in from random addresses, destined for your > internal network. There is nothing in this filter that prevents your > own source addresses from being spoofed outside your border. > > It seems to me that you want something more like this, which is what > we have in place: > > acc 102 deny ip 198.138.103.0 0.0.0.255 any > ... > acc 102 permit any any > > It seems to work for us. Please let me know if I'm missing something here! > > -- > Bruce Robertson, President/CEO > Great Basin Internet Services, Inc. > +1-702-348-7299 fax: +1-702-348-9412 > - - - - - - - - - - - - - - - - -
|