On Tuesday 03 February 2004 19:50, Ken Rossman wrote: > On Tuesday, February 3, 2004, at 02:22 PM, Stuart Sears wrote: > > On Tuesday 03 February 2004 17:42, Ken Rossman wrote: > >> I assume it's possible for a site out on the Internet, trying to reach > >> another site out on the internet (neither being on the local LAN) to > >> manage to find a route THROUGH this local net. > > > > the external IPs are fixed, right? > > Yes they are/will be. I'm not sure I'd even want to try to bottleneck > this kind of traffic if I were dealing with dynamic addressing... > > >> I want to prevent this. Would the best way to do this be to use > >> iptables to disallow ALL packets between RTR1 and RTR2? Is there > >> a better way to do this? > > > > you could use connection tracking - drop all packets that are not part > > of > > an existing/related connection. (Be aware that this takes more memory > > than > > normal iptables rules). > > Can you point me at reference material explaining connection tracking? > That's a new term to me. And if it's just extra memory in the routers > themselves, then I think we're still OK, as they are solely router / > firewalls and they are quite reasonably configured (512MB or so). > > Thanks, > KR Memory shouldn;t be a problem though. You'll probably find documentation on stateful packet filtering on www.netfilter.org however, the rules are basically simple - they use a match extension to the standard rules... iptables -t filter -A INPUT --match state --state ESTABLISHED, RELATED -j DROP -- Stuart Sears RHCE, RHCX -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
