On Fri, Mar 28, 2008 at 06:45:13AM -0700, Tom Eastep wrote: > Using iptables for RFC1918 filtration really isn't the best approach in > many cases. It's generally better to null-route the RFC 1918 ranges: > > ip route add unreachable 10.0.0.0/8 > ip route add unreachable 172.16.0.0/8 > ip route add unreachable 192.168.0.0/16 > > and enable route filtering on your external interface(s). > > This approach is not without its hazards though. Consider if you were a > customer of an ISP who uses RFC 1918 addresses for its DHCP servers.
Although that is trivially fixed by adding specific routes for the addresses of those servers. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
