North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMURF amplifier block list

  • From: Jason Lixfeld
  • Date: Fri Apr 24 12:07:24 1998

Really?  I thought that extended access-lists needed wildcard masks which
is why I said  If an inbound access-list on a hssi says:

access-list 101 deny icmp any

It is denying only packets with a destination to any.any.any.255.  In the
example below, he is actually denying anything from anywhere, not the

deny ip any x.y.z.255

If he wanted to deny ip to broadcasts on a specific network, he would:

deny ip any x.y.z.255 
deny ip any host x.y.z.255

Am I lost here?! =P

On Sun, 19 Apr 1998, Dean Anderson wrote:

:No, because you only want to stop the packets coming into the broadcast
:address, not the entire network. (You may want to block the entire network,
:say for security reasons, but that's a slightly different issue).
:I suspect that you are confused with the wildcarding. The second parameter
:is a mask for the first. All ones on the mask mean it matches exactly the
:first address. Leaving the last octet of the mask 0 means it matches all ip
:addresses that begin with x.y.z, including the broadcast address.
:		--Dean
:At 6:46 PM -0400 4/19/98, [email protected] wrote:
:>Uhmm, would the wildcard not be
:>On Sat, 18 Apr 1998, Dean Anderson wrote:
:>:Umm, I think this has already been hashed out. This is not the only netmask
:>:on the planet, and you don't know what other networks netmasks are under
:>:CIDR. Trying to guess the netmask just leads to breakage.
:>:All you want to do is stop packets coming in to your broadcast address.
:>:For example, for your network x.y.z/n  (n=24) with your broadcast address
:>:of x.y.z.255: (I presume everyone can translate between CIDR notation and
:>:dotted decimal ;-)
:>:deny ip any x.y.z.255
:>:no ip directed broadcast basically puts in the same rule, but it does it
:>:automatically by looking at the netmasks on the interfaces.
:           Plain Aviation, Inc                  [email protected]
:           We Make IT Fly!                (617)242-3091 x246


Jason A. Lixfeld             [email protected]
iDirect Network Operations   [email protected]

TUCOWS Interactive Ltd. o/a  | "A Different Kind of Internet Company"
Internet Direct Canada Inc.  | "FREE BANDWIDTH for Toronto Area IAPs"
5415 Dundas Street West      |
Suite 301, Toronto Ontario   | (416) 236-5806	     (T)
M9B-1B5 CANADA               | (416) 236-5804        (F)