SMURF amplifier block list
Jason Lixfeld
jlixfeld at idirect.ca
Fri Apr 24 02:36:58 UTC 1998
Really? I thought that extended access-lists needed wildcard masks which
is why I said 255.255.255.0. If an inbound access-list on a hssi says:
access-list 101 deny icmp any 0.0.0.255 255.255.255.0
It is denying only packets with a destination to any.any.any.255. In the
example below, he is actually denying anything from anywhere, not the
broadcasts:
<snip>
deny ip any x.y.z.255 255.255.255.255
</snip>
If he wanted to deny ip to broadcasts on a specific network, he would:
deny ip any x.y.z.255 0.0.0.0
or
deny ip any host x.y.z.255
Am I lost here?! =P
On Sun, 19 Apr 1998, Dean Anderson wrote:
:No, because you only want to stop the packets coming into the broadcast
:address, not the entire network. (You may want to block the entire network,
:say for security reasons, but that's a slightly different issue).
:
:I suspect that you are confused with the wildcarding. The second parameter
:is a mask for the first. All ones on the mask mean it matches exactly the
:first address. Leaving the last octet of the mask 0 means it matches all ip
:addresses that begin with x.y.z, including the broadcast address.
:
: --Dean
:
:At 6:46 PM -0400 4/19/98, jlixfeld at idirect.ca wrote:
:>Uhmm, would the 255.255.255.255 wildcard not be 255.255.255.0?
:>
:>On Sat, 18 Apr 1998, Dean Anderson wrote:
:>
:>:Umm, I think this has already been hashed out. This is not the only netmask
:>:on the planet, and you don't know what other networks netmasks are under
:>:CIDR. Trying to guess the netmask just leads to breakage.
:>:
:>:All you want to do is stop packets coming in to your broadcast address.
:>:For example, for your network x.y.z/n (n=24) with your broadcast address
:>:of x.y.z.255: (I presume everyone can translate between CIDR notation and
:>:dotted decimal ;-)
:>:
:>:deny ip any x.y.z.255 255.255.255.255
:>:
:>:no ip directed broadcast basically puts in the same rule, but it does it
:>:automatically by looking at the netmasks on the interfaces.
:
:
:++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
: Plain Aviation, Inc dean at av8.com
: LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com
: We Make IT Fly! (617)242-3091 x246
:++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
:
:
--
Regards,
Jason A. Lixfeld jlixfeld at idirect.ca
iDirect Network Operations jlixfeld at torontointernetxchange.net
---------------------------------------------------------------------
TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company"
Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs"
5415 Dundas Street West | http://www.torontointernetxchange.net
Suite 301, Toronto Ontario | (416) 236-5806 (T)
M9B-1B5 CANADA | (416) 236-5804 (F)
---------------------------------------------------------------------
More information about the NANOG
mailing list