[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nat exclusions



Daniel Hartmeier wrote:
> You mean .0 and .255 as source addresses. I'd block them on the internal
> interface, as you really don't want to pass them to external addresses.
> Sounds more straight-forward than preventing nat (and possibly send them
> out with untranslated source addresses, unless you block them, too), as
> in
> 
>   block log quick on $int_if from { 192.168.0.0, 192.168.0.255 } \
>       to ! $int_if
> 
> That also logs them, so you can investigate when they occur. I'm not
> sure the stack would even IP forward them in the first case, the entire
> point might be moot ;)
> 
> But, yes, :hosts could be useful in some cases, it's probably simple to
> support, noted as possible new feature on the to-do list.
i think, :netnum (or :net) will be more logical since you can do
block log quick on $int_if from { $int_if:netnum, $int_if:broadcast } \
to ! $int_if