North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Network Operators and smurf

  • From: Dean Anderson
  • Date: Fri Apr 24 18:42:06 1998

At 5:53 PM -0400 4/24/98, Jay R. Ashworth wrote:

>It's been my understanding that the knobs are in fact _not_ there,
>Dean, but I'd be happy to be proven wrong.

There isn't a simple knob, but then it isn't simple to know what a forgery
is. You to have tell the router.  The router doesn't know what you and
other people "own", but you can tell it.  I'd say there isn't a way to make
a simple on/off knob for that, because there isn't any way to tell who you
will transit for and who you won't.

On your outbound interface(s):

access-list 101 permit ip <yournet-1> any out
access-list 101 permit ip <yournet-2> any out
access-list 101 deny ip any any out

This allows only packets sourced from your networks to be sent.

Or, another perhaps better way is to only accept packets from your customer
networks which are sourced from those networks.  Each customer interface
then has an inbound filter the blocks everything not sourced from your
customers network.


           Plain Aviation, Inc                  [email protected]
           We Make IT Fly!                (617)242-3091 x246