Hi Don,
Don Cohen schrieb:
>
> Just reading mail that arrived while I was on vacation ...
>
> Several points.
> - In order to use the current tc you don't have to match all of the
> illegal addresses (64K - 10K) - it would be easier to default to
> disallow packets and match the smaller 10K that are allowed.
>
actually I can do this with three independent ore loosely coupled
systems:
iproute2
netfilter
tc
netfilter is to slow for 10k rules and if I use hierarchical prefixes
I have a lot of chains and still ca. 500 rules in worst case.
With iproute2 I could do this with a prohibit rule, but then I have
the bigger amount of disallowd addresses.
I think in the moment tc is the best solution, but how could this
be handled on ingress shaping to a 0 kbps queue?
> - What you really want, of course, is a new module that does a simple
> table lookup to decide whether to classify a packet. This should be
> easy to write. The hard part is filling the table - I don't even know
> where your data comes from.
the comes programmatically from the DNS system by a walk throug.
I check once a day all Class B addresses whether they are registered.
>
> - I'd expect your addresses to not be uniformly distributed. A
right!
> reasonable routing scheme would assign different class-c's to
> different departments/dorms; many class c's don't exist and you
> can eliminate those immediately; those that do probably go to other
> routers and those can do further filtering.
> An additional benefit of this more distributed solution is that,
this must be done a the central FW, because the other routers
are from different vendors with even different capabilities.
This would not be manageable.
> at least for traffic originating inside your network, earlier
> filtering prevents one class c from denying (outbound) service to
> others. I'd guess that you're less concerned with outside attackers
> sending to these bogus addresses without provocation from inside.
Regards
Charly
--
Karl Gaissmaier Computing Center,University of Ulm,Germany
Email:[EMAIL PROTECTED] Network Administration
Tel.: ++49 731 50-22499
_______________________________________________
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
