Rob Sansom wrote:
Yes, it seems to be correct. Abyway, I think that will be a good idea
to filter also the (possible) spoofed packets that might leave your
network. I mean that it will be a good protection for the other
providers...
Add something like:
! Permit outgoing only for your packets
access-list 112 permit ip 123.456.789.0 0.0.0.255 any
! Log and deny any spoofing attempt from your network
access-list 112 deny ip any any log
int s0
ip access-group 111 in
ip access-group 112 out
Regards,
Corneliu Tanasa
Network Admin
LOGIC TELECOM - ROMANIA
>
> ! Deny spoofers
> access-list 111 deny ip 123.456.789.0 0.0.0.255 any log
> ! Permit ftp
> access-list 111 permit tcp any host 123.456.789.35 eq ftp
> ! Log the rest
> access-list 111 deny ip any 123.456.789 0.0.0.255 log
>
> And how I plan to use it.
>
> int s0
> ip access-group 111 in
>
> Am I correct in assuming that the 'access-list 111 deny ip 123.456.789.0
> 0.0.0.255 any log'
> line will screen all spoffed packets (with a source address of
> 123.456.789.x) to all my subnets based on the 123.456.789 class C, since
> the '0.0.0.255' is a wildcard for the host portion, thus any packet with
> the 123.456.789 address coming from the internet will be a match?
>
> Thanks in Advance,
>
> #include <standard_disclaimer.h>
>
> Rob Sansom
> Network Admin.
> Connectix Corp
> (415) 638-7398
> sansom @
connectix .
com
References:
|
|
