[ previous ] [ next ] [ threads ]
 
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Blocking inbound traffic
 Date:  Fri, 12 Aug 2005 04:23:22 +0200 
Don

the 1720 should not have any problems handling this.
By the way take a look at http://www.cymru.com
Depending on your setup you can use Cisco template configs or even 
automate the bogon-list via BGP.
That's much easier than updating your ACLs by hand...

This could also be a nice feature for m0n0wall.


Daniele



Don Munyak wrote:
> We have a cisco 1720 border router curently configured to do nothing
> but route packets. No filtering. I have been thinking about putting an
> "INGRESS" acl list on the serial link to block bogus inbound packets.
> 
> http://www.iana.org/assignments/ipv4-address-space
> 
> access-list 101 deny ip 0.0.0.0 0.255.255.255 any log-input
> access-list 101 deny ip 1.0.0.0 0.255.255.255 any log-input
> access-list 101 deny ip 2.0.0.0 0.255.255.255 any log-input
> access-list 101 deny ip 5.0.0.0 0.255.255.255 any log-input
> {snip}
> 
> But instead of applying an "EGRESS" acl to the same cisco serial link,
> I was thinking of entering these filters to the LAN & DMZ link of
> m0n0wall. I am thinking that if some rogues application is trying to
> phone home, by applying the filter to the m0n0wall link(s), I can see
> which local host is passing the bad packets. Or would I just apply the
> filters to the WAN link?
> 
> access-list 102 deny ip any 0.0.0.0 0.255.255.255 log-input
> access-list 102 deny ip any 1.0.0.0 0.255.255.255 log-input
> access-list 102 deny ip any 2.0.0.0 0.255.255.255 log-input
> access-list 102 deny ip any 5.0.0.0 0.255.255.255 log-input
> {snip}
> 
> Our layout looks like this
> 
> --(s0)1720(e0)------m0n0wall----LAN
>                        |
>                        |
>                       DMZ
> 
> What are your thoughts ?
> 
> Thanks,
> -Don
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

-- 



	best regards

------------------------------------------------------------------
Daniele Guazzoni
Senior Network Engineer, CCNA, CCNP

Ackersteinstrasse 203
CH-8049 Zurich
------------------------------------------------------------------
"Destiny is not a matter of chance, it is a matter of choice;
it is not a thing to be waited for, it is a thing to be achieved."
					William Jennings Bryan