Subject: | |
From: | |
Reply To: | |
Date: | Tue, 4 Apr 1995 01:59:42 EDT |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On Mon, 3 Apr 1995 16:25:00 PDT Ken Sletten - Code 331A said:
>Jeff Kell after me after Chris Bartram and others:
>>>(1) Expanding on one of Chris Bartram's suggestions to be
>>> able to configure lists of allowed originating IP addresses:
>
>>This is inadequate. I would like to propose something along the lines of
>>{permit|deny} {IP-address} {address-mask} [{tcp|udp|icmp} {<|=|>} {port}]
>>and a possibility to
>> {permit | deny} {IP-address} {address-mask} established
>
>>The "@" nomenclature doesn't allow for subnet masking (actual subnets or
>>logical subnets). Blunt acceptance/denial of a "network" may be OK, but we
>>really need to address the protocol level. [.....SNIP.....]
>
>Jeff obviously has the right idea. Ignore my previous, and sign
>me up to second the motion on Jeff's suggestion. Much better
>control.
Well, let me revise that; this is filtering INCOMING traffic. As such, the
ICMP protocol is rather irrelevant. This is often used on OUTBOUND traffic
so that firewall-thwarted attempts simply time out rather than resulting in
a more definitive ICMP Destination unreachable or ICMP Connection refused
response. It isn't of much value on inbound traffic.
(Takes me a minute to shuffle my mindset from router to host :-) )
[\] Jeff Kell, [log in to unmask]
|
|
|