North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Filtering Source Addresses on gw-internet

  • From: C. Jon Larsen
  • Date: Tue Aug 12 15:51:16 1997

Thats what I thought at first. But if the permit comes first, then packets
with valid source addresses (a.b.c.d) get out because they pass that rule.

So a packet built like:

Source-> a.b.c.d  Dest-> 172.17.0.0

will get out and be passed to the ISP, wasting bandwidth. Thats why I deny
them first, and then do the permit later on in the list. 

> On Tue, 12 Aug 1997, C. Jon Larsen wrote:
> 
> > gw-internet#show access-lists 120
> > Extended IP access list 120
> >     deny   ip any 10.0.0.0 0.255.255.255 log
> >     deny   ip any 172.16.0.0 0.0.255.255 log
> >     deny   ip any 172.17.0.0 0.0.255.255 log
> >     deny   ip any 192.168.0.0 0.0.255.255 log
> >     permit ip a.b.c.0 0.0.0.255 any (27429 matches)
> >     deny   ip any any log
> 
> Aren't the first 4 deny's redundant?  Using access-lists, I was under the
> impression, there was an implicit deny at the end, such that all you'd
> need is a single permit line above, and optionally the last deny so you
> get to log violations.
> 
> ------------------------------------------------------------------
>  Jon Lewis <[email protected]>  |  Unsolicited commercial e-mail will
>  Network Administrator       |  be proof-read for $199/message.
>  Florida Digital Turnpike    |  
> ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
> 
> 


Linux.

+-------------------+---------------------+
| C. Jon Larsen     | [email protected]  |
| Systems Engineer  | Tel: 804.353.2800   |
| A&J Technologies  |                     |
|-------------------+---------------------|
|         http://www.ajtech.com           |
+-----------------------------------------+