>In article <9407061504 .
AA04237 @
whizbang .
intellistor .
com>,
>Quentin Johnson <quent .
johnson @
intellistor .
com> wrote:
>>Why not put a router/packet filter between the Internet and the bastion
>>host? Then you can tell the router to drop packets going to your
>>networks that have your IP addresses since nobody with your IP
>>addresses should be coming through the router from the Internet.
That's a pretty standard practice I would imagine. Simply set up a
filter for the router that says drop any packet that comes from subnet
such and such.
>This requires a router which supports separate filters for
>incoming and outgoing traffic right? It's my understanding
>that not all routers have this feature. Am I wrong?
>
By incoming and outgoing do you mean inbound and outbound to/from the
protected network, or do you in port the packet enters and the port
the packet leaves by. If the later, I believe you are correct.
However, it's really only an issue if the router has more than 2
ethernet ports.
The problem with more than 2 ports and output side only filtering is
that the port in question (assuming it's on the protected net) won't
know if the packet came from another port on the protected net, or
from the outside. Hence, there's no way to know whether the packet
should be dropped or passed. With only 2 ports, there's only one
place that packet could have come from, and what to do with it is
obvious.
Hope that helps.
-- Rob Tanner
_ _ _ _ _ _ _ _ _ _
/\_\_\_\_\ /\_\ /\_\_\_\_\_\
/\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ Robert J. Tanner
/\/_/__\/_/ __ /\/_/ /\/_/ Ames Research Center
/\/_/_/_/_/ /\_\ /\/_/ /\/_/ (415) 604-3451 (SETI)
/\/_/ \/_/ /\/_/_/\/_/ /\/_/ (415) 604-5347 (Kuiper)
\/_/ \/_/ \/_/_/_/_/ \/_/ tanner @
george .
arc .
nasa .
gov
____________________________________________________________________
References:
|
|
