Re: Filters for dialup ppp/slip/shell (fwd)

Doug Ingraham (dpi@rapidnet.com)
Wed, 11 Dec 1996 23:01:32 -0700 (MST)

On Wed, 11 Dec 1996 thoth@purplefrog.com wrote:

> > You could do both I suppose, but I wouldn't rely on just the dialin filters,
> > especially if you offer shell access since they don't work there.

I am planning to do both for this reason.

> Well, I guess you could write a generic filter for all your dialin to
> prevent them from spoofing out except for the fact that they'll be able to
> spoof any IP from the dialin pool.
>
> A tiny problem in my opinion. RFE.

I placed an in filter in each of my PM's that deny's a source address
other than one of the assigned in that box. I have not caught anyone
trying to be naughty yet but I have found several customers with a
winsock that lies. It tries to use an IP address from a different PM's
assigned group. It would be extremely useful to be able to limit the
permitted source address to the address assigned by the PM.

It is very difficult to tell which physical serial port is causing the
problem because the log doesn't contain that information. Why wasn't
this information logged. Either the port or the username or both would
have been nice.

Doug Ingraham A Puritan is someone who absolutely cannot stand the
Rapid City, SD idea that someone somewhere is having a good time. :-)
USA