|
||||||||
We have a cisco 1720 border router curently configured to do nothing but route packets. No filtering. I have been thinking about putting an "INGRESS" acl list on the serial link to block bogus inbound packets. http://www.iana.org/assignments/ipv4-address-space access-list 101 deny ip 0.0.0.0 0.255.255.255 any log-input access-list 101 deny ip 1.0.0.0 0.255.255.255 any log-input access-list 101 deny ip 2.0.0.0 0.255.255.255 any log-input access-list 101 deny ip 5.0.0.0 0.255.255.255 any log-input {snip} But instead of applying an "EGRESS" acl to the same cisco serial link, I was thinking of entering these filters to the LAN & DMZ link of m0n0wall. I am thinking that if some rogues application is trying to phone home, by applying the filter to the m0n0wall link(s), I can see which local host is passing the bad packets. Or would I just apply the filters to the WAN link? access-list 102 deny ip any 0.0.0.0 0.255.255.255 log-input access-list 102 deny ip any 1.0.0.0 0.255.255.255 log-input access-list 102 deny ip any 2.0.0.0 0.255.255.255 log-input access-list 102 deny ip any 5.0.0.0 0.255.255.255 log-input {snip} Our layout looks like this --(s0)1720(e0)------m0n0wall----LAN | | DMZ What are your thoughts ? Thanks, -Don |