Hi Don, Don Cohen schrieb: > > Just reading mail that arrived while I was on vacation ... > > Several points. > - In order to use the current tc you don't have to match all of the > illegal addresses (64K - 10K) - it would be easier to default to > disallow packets and match the smaller 10K that are allowed. > actually I can do this with three independent ore loosely coupled systems: iproute2 netfilter tc netfilter is to slow for 10k rules and if I use hierarchical prefixes I have a lot of chains and still ca. 500 rules in worst case. With iproute2 I could do this with a prohibit rule, but then I have the bigger amount of disallowd addresses. I think in the moment tc is the best solution, but how could this be handled on ingress shaping to a 0 kbps queue? > - What you really want, of course, is a new module that does a simple > table lookup to decide whether to classify a packet. This should be > easy to write. The hard part is filling the table - I don't even know > where your data comes from. the comes programmatically from the DNS system by a walk throug. I check once a day all Class B addresses whether they are registered. > > - I'd expect your addresses to not be uniformly distributed. A right! > reasonable routing scheme would assign different class-c's to > different departments/dorms; many class c's don't exist and you > can eliminate those immediately; those that do probably go to other > routers and those can do further filtering. > An additional benefit of this more distributed solution is that, this must be done a the central FW, because the other routers are from different vendors with even different capabilities. This would not be manageable. > at least for traffic originating inside your network, earlier > filtering prevents one class c from denying (outbound) service to > others. I'd guess that you're less concerned with outside attackers > sending to these bogus addresses without provocation from inside. Regards Charly -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:karl.gaissmaier@rz.uni-ulm.de Network Administration Tel.: ++49 731 50-22499 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
