|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SMURF amplifier block list
Really? I thought that extended access-lists needed wildcard masks which is why I said 255.255.255.0. If an inbound access-list on a hssi says: access-list 101 deny icmp any 0.0.0.255 255.255.255.0 It is denying only packets with a destination to any.any.any.255. In the example below, he is actually denying anything from anywhere, not the broadcasts: <snip> deny ip any x.y.z.255 255.255.255.255 </snip> If he wanted to deny ip to broadcasts on a specific network, he would: deny ip any x.y.z.255 0.0.0.0 or deny ip any host x.y.z.255 Am I lost here?! =P On Sun, 19 Apr 1998, Dean Anderson wrote: :No, because you only want to stop the packets coming into the broadcast :address, not the entire network. (You may want to block the entire network, :say for security reasons, but that's a slightly different issue). : :I suspect that you are confused with the wildcarding. The second parameter :is a mask for the first. All ones on the mask mean it matches exactly the :first address. Leaving the last octet of the mask 0 means it matches all ip :addresses that begin with x.y.z, including the broadcast address. : : --Dean : :At 6:46 PM -0400 4/19/98, [email protected] wrote: :>Uhmm, would the 255.255.255.255 wildcard not be 255.255.255.0? :> :>On Sat, 18 Apr 1998, Dean Anderson wrote: :> :>:Umm, I think this has already been hashed out. This is not the only netmask :>:on the planet, and you don't know what other networks netmasks are under :>:CIDR. Trying to guess the netmask just leads to breakage. :>: :>:All you want to do is stop packets coming in to your broadcast address. :>:For example, for your network x.y.z/n (n=24) with your broadcast address :>:of x.y.z.255: (I presume everyone can translate between CIDR notation and :>:dotted decimal ;-) :>: :>:deny ip any x.y.z.255 255.255.255.255 :>: :>:no ip directed broadcast basically puts in the same rule, but it does it :>:automatically by looking at the netmasks on the interfaces. : : :++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ : Plain Aviation, Inc [email protected] : LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com : We Make IT Fly! (617)242-3091 x246 :++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ : : -- Regards, Jason A. Lixfeld [email protected] iDirect Network Operations [email protected] --------------------------------------------------------------------- TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company" Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs" 5415 Dundas Street West | http://www.torontointernetxchange.net Suite 301, Toronto Ontario | (416) 236-5806 (T) M9B-1B5 CANADA | (416) 236-5804 (F) ---------------------------------------------------------------------
|