Best practice would be to block all outgoing traffic (on the serial) at each POP that does not fall into the netblock that you have assigned to it. In other words, if one POP has 203.203.203.0/24, and you assign addresses from that pool to dialup users, then block _all_ traffic leaving that POP that is not from 203.203.203.0/24.
That nails would-be IP spoofers, smurf attackers, and other forms of undesirable traffic, and also obviates the need to write huuuge ACLs listing all the private and otherwise "impossible" traffic (there are more blocks than you think). This is the same idea as default-deny versus default-permit. Cheers, -- Ben Nagy Network Security Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Saint James > Sent: Wednesday, March 13, 2002 9:34 AM > To: [EMAIL PROTECTED] > Cc: james > Subject: Re: ACL's and private address space > > > To clarify, we only give our users public addresses, > it is their private addresses (thru NAT, ect) that are > escaping onto our network that I am seeking to block. > > > __________________________________________________ > Do You Yahoo!? > Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
