SMURF amplifier block list
Dean Anderson
dean at av8.com
Sun Apr 19 23:57:09 UTC 1998
No, because you only want to stop the packets coming into the broadcast
address, not the entire network. (You may want to block the entire network,
say for security reasons, but that's a slightly different issue).
I suspect that you are confused with the wildcarding. The second parameter
is a mask for the first. All ones on the mask mean it matches exactly the
first address. Leaving the last octet of the mask 0 means it matches all ip
addresses that begin with x.y.z, including the broadcast address.
--Dean
At 6:46 PM -0400 4/19/98, jlixfeld at idirect.ca wrote:
>Uhmm, would the 255.255.255.255 wildcard not be 255.255.255.0?
>
>On Sat, 18 Apr 1998, Dean Anderson wrote:
>
>:Umm, I think this has already been hashed out. This is not the only netmask
>:on the planet, and you don't know what other networks netmasks are under
>:CIDR. Trying to guess the netmask just leads to breakage.
>:
>:All you want to do is stop packets coming in to your broadcast address.
>:For example, for your network x.y.z/n (n=24) with your broadcast address
>:of x.y.z.255: (I presume everyone can translate between CIDR notation and
>:dotted decimal ;-)
>:
>:deny ip any x.y.z.255 255.255.255.255
>:
>:no ip directed broadcast basically puts in the same rule, but it does it
>:automatically by looking at the netmasks on the interfaces.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Plain Aviation, Inc dean at av8.com
LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com
We Make IT Fly! (617)242-3091 x246
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
More information about the NANOG
mailing list