George Herbert writes:
Simple for Livingstons...
create a filter "internet.out" Contents: three lines for each net block you have:
permit 1.2.3.4/20 tcp permit 1.2.3.4/20 udp permit 1.2.3.4/20 icmp
Actually, a single "permit 1.2.3.4/20" line will do. In Livingston command line syntax: set filter internet.out 1 permit 1.2.3.4/20
final line to log (optional) MUST COME AFTER permit list for netblocks: deny log
The final line will have the router syslog a message any time someone tries to send from an address outside your blocks, as defined in the rest of the filter. This is optional. Keep in mind that the panix attack would probably have flooded your syslog machine's disk space with syslog info in this case. Hardening that is an issue for another day, however.
Logging denies will fill up your log anyway. Packets arriving for a dialup user after he/she hangs up fall through to the default route back out of the box. They are then _outbound_ packets with source address off the network and destination address on the network. Dialup providers who want to log denies based on a source address being on their network should have a preceding unlogged deny based on the destination address being on their network: set filter internet.out 1 permit 1.2.3.4/20 set filter internet.out 2 deny 0.0.0.0/0 1.2.3.4/20 set filter internet.out 3 deny log -- Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY stpeters@NetHeaven.com Owner, NetHeaven 518-885-1295/800-910-6671 Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake First Internet service based in the 518 area code