Michael J. Tubby B.Sc. (Hons) G8TIC wrote:
What you should be filtering is packet egress, that is your 192.168 orYes, I do this. I also filter coming from the LAN on the INPUT table since I consider any box a potential risk.
whatever internal LAN leaking 'naked' (un-NATted) to the internet at
large.
I do this in two places, on the main firewall box between out "inside"My DSL provider owns and maintains my router. I never thought about filtering at the router. Hmm, I'll have to ask about that.
and "outside" in iptables and then again at the Cisco router facing
PSInet with an ACL that drop & log any packets from anything other
than our PSInet Class-C, so there's no way we can "leak" on to the 'net.
Jeff
