View Single Post
Old 25th May 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366

Sorry, which message are you replying to?

There are two places where a bogon list is usefull.
First, you want to drop all packets arriving at your network stating bogus source addresses.
Secondly, you might like to drop packets that state bogus source addresses, produced by missconfigured hosts on your network, or by a failure of NAT.
The first is done by the simple rules that I stated above. the second would be a similar rule (block quick out on $ext_if from <bogons>

The other, more compex rules are interesting - They verify that the packets are good, and then flag them so they quickly pass on the way out of the internal interface.

Edit: the reason for specifying the external interface is that the local, private network needs to contact the server, and the private netspaces are on the bogon lists. There are ways to block bogons on the internal interface (Use a rule to flag valid local packets, then add an exception to your bogon filter), but it is not really worth it.

(What this message really says is, "Uh, What you say??")
The only dumb question is a question not asked.
The only dumb answer is an answer not given.

Last edited by robbak; 25th May 2008 at 08:58 AM.
Reply With Quote