hi
i'm using extended access list filters on external interfaces to prevent subj.
But it's still one problem: if you have addr. from _your_ subnet addr. on
remote end (your providers' router) you should permit packets from this
address, which are coming from external (for your network) interface.
This is true at least when i'm exchanging routing information with that host:
------I2 ------------
R1 |--------| R external|------Internet
----- -----------
|I1
|
----
LAN|
---
R1 - router for my site
R external - router of my provider
I1 - internal (LAN) interface
I2 - external interface.
Suppose I2 has IP addr: xx.xx.xx.128 netmask 255.255.255.224 and
I2 on R external has IP addr: xx.xx.xx.129 netmask 255.255.255.224,
I1 has IP addr: xx.xx.xx.69 netmask 255.255.255.224.
So i have different subnets of network xx.xx.xx.0, assigned to diff.
interfaces.
I can prevent incoming packets from R external with source address
xx.xx.xx.0 0.0.0.255 any
but i should permit
xx.xx.xx.129 0.0.0.0
thus permitting subj. from at least one address.
Sure that's better than subj from any of 254 addresses, but what a hell ;).
Any suggestions ?
Another thing: ICMP redirects, whom i can trust and how to setup properly
access list for this. I've found at least 3 types of ICMP redirects
mentioned in CISCO docs...
rgds,
serge
--
+-------------------------------------+-------------------------------------+
| Sergey Zhuk | serge @
freenet .
kiev .
ua |
| UN Internet Project | +380-44-228-6393 |
| System and Network Administrator | www.freenet.kiev.ua, www.un.kiev.ua |
+-------------------------------------+-------------------------------------+
Follow-Ups:
|
|
