Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Sep 1996 21:07:01 -0700 (PDT)
From:      Michael Dillon <michael@memra.com>
To:        inet-access@earth.com
Cc:        iap@vma.cc.nd.edu, linuxisp@jeffnet.org, freebsd-isp@freebsd.org, os2-isp@dental.stat.com
Subject:   Filter outgoing spoofed SYN's on BAY routers
Message-ID:  <Pine.BSI.3.93.960916210240.3265V-100000@sidhe.memra.com>
next in thread | raw e-mail | index | archive | help 

The following fragment is from the NANOG list archived at
http://www.merit.edu

I changed the IP address to 10.14.22.0
You should use your own real IP address

Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: michael@memra.com

---------- Fragment of message ----------

Filters for Bay routers are not very difficult, owing to the graphical
configuration tools.  On one of my ethernet segments, all source
addresses should be in the 10.14.22.0 range.  Here is how I built a
filter for this interface:

In Site Manager, select the circuit that the filter will be applied
to.  Filters are built for traffic coming IN to the interface, so in
this case I applied the filter to my ethernet interface.

Once the interface is selected, select "Edit Circuit", then pull down
Protocols->Edit IP->Traffic Filters.  If this is the first filter of
this type that you're creating, you'll need to create a filter template
first.  This template gets stored on your hard drive, so you can
jump over to another router and apply the same filter template, just
changing the appropriate addresses.

Once you create a new template, you'll want to choose the following:

Condition->IP Source Address
		0.0.0.0 - 10.14.22.0
		10.14.22.255 - 255.255.255.255

Action->Drop
Action->Detailed Log (this is optional.. I use it)

That's all there is to it.  Once you create this template, then go back
to the "IP Filters" screen and actually create the filter.  When prompted
for a template, use the one you just created.

This method tells the router to allow that which you do not specifically
deny.  You can also create two filters, one saying "drop everything"
and the other one telling it specifically what you want to allow.
Personally, I prefer the first method because it seems more efficient..
Perhaps someone from Bay will comment on the  optimal way to do this.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.93.960916210240.3265V-100000>