On Tue, 28 Oct 2003, Alistair Tonner wrote: > On October 28, 2003 09:59 am, Robert P. J. Day wrote: > > i'd like to find a short, efficient way to filter incoming packets with > > bogus source addresses, but i don't see an elegant way of doing it. > > > > as we all know, there are a number of clearly bogus source addresses on > > incoming packets: > > > > - broadcast > > - your own IP address > > - any of the private class A, B or C addresses > > - class D addresses > > > > and on and on. so it's natural to want to discard them and, just for fun, > > log them as well. > > > > for elegance, i can create a user-defined chain called, say, > > "reject_bad_source_addresses" to which i jump with every incoming packet. > > this user-defined chain will test for all of the bad source addresses, one > > at a time, and DROP/REJECT each one. however, if i want to log all of > > these rejections, i'd have to double the number of rules in this chain, > > so that each test would first LOG that packet, then be followed by a > > second rule to DROP it. kind of a pain. > > Why don't you have the first user chain test for bad addresses, send them to > a second chain, which the logs all traffic going through it, and then drops > all traffic going through it? oooh, yeah, that'll work. thanks. rday
