North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Filtering Source Addresses on gw-internet
Thats what I thought at first. But if the permit comes first, then packets with valid source addresses (a.b.c.d) get out because they pass that rule. So a packet built like: Source-> a.b.c.d Dest-> 172.17.0.0 will get out and be passed to the ISP, wasting bandwidth. Thats why I deny them first, and then do the permit later on in the list. > On Tue, 12 Aug 1997, C. Jon Larsen wrote: > > > gw-internet#show access-lists 120 > > Extended IP access list 120 > > deny ip any 10.0.0.0 0.255.255.255 log > > deny ip any 172.16.0.0 0.0.255.255 log > > deny ip any 172.17.0.0 0.0.255.255 log > > deny ip any 192.168.0.0 0.0.255.255 log > > permit ip a.b.c.0 0.0.0.255 any (27429 matches) > > deny ip any any log > > Aren't the first 4 deny's redundant? Using access-lists, I was under the > impression, there was an implicit deny at the end, such that all you'd > need is a single permit line above, and optionally the last deny so you > get to log violations. > > ------------------------------------------------------------------ > Jon Lewis <[email protected]> | Unsolicited commercial e-mail will > Network Administrator | be proof-read for $199/message. > Florida Digital Turnpike | > ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____ > > Linux. +-------------------+---------------------+ | C. Jon Larsen | [email protected] | | Systems Engineer | Tel: 804.353.2800 | | A&J Technologies | | |-------------------+---------------------| | http://www.ajtech.com | +-----------------------------------------+
|