Jeff Kell after me after Chris Bartram and others:
[.....SNIP.....]
>>(1) Expanding on one of Chris Bartram's suggestions to be
>> able to configure lists of allowed originating IP addresses:
>> We would like to be able to configure both an ALLOW *and*
>> a DISALLOW list, and be able to do that using at least basic
>> wild card syntax. I.e: Be able to put in everything from one
>> or more specific IP entries, to something like [log in to unmask]@
>This is inadequate. I would like to propose something along the lines of
> {permit | deny} {IP-address} {address-mask} [{tcp|udp|icmp} {<|=|>}
{port}]
>and a possibility to
> {permit | deny} {IP-address} {address-mask} established
>The "@" nomenclature doesn't allow for subnet masking (actual subnets or
>logical subnets). Blunt acceptance/denial of a "network" may be OK, but we
>really need to address the protocol level. [.....SNIP.....]
Jeff obviously has the right idea. Ignore my previous, and sign
me up to second the motion on Jeff's suggestion. Much better
control.
Ken Sletten