:: Jay R. Ashworth writes ::
No, IMHO, the comment stands: no matter _what_ size your network is, if you assign host addresses with a .0 or .255 final octet, things may break, and you deserve what you get.
.255 and .0 are prefectly valid on /23 and shorter-prefixed subnets. But many people have made that argument, so I'll get to a much more important point: There's no benefit at all to filtering .255 if your network is properly configured. (1) Let's suppose I block packets coming in to my network that have a source address of X.X.X.255. This does nothing for me. Specifically, it doesn't prevent amplified ECHO REPLYs from coming in. Why? Because those packets don't have the source address of the broadcast address that was used to get the amplification effect. They have the unicast source address of the individual machines that answeres the ECHO REQUESTS. That is, let's suppose your Web Server is 200.200.5.5. Let's suppose that 100.100.100/24 is a viable amplification subnet. If I send ECHO REQUESTS with Source=200.200.5.5, Destination=100.100.100.255, you will see lots of ECHO REPLYs coming at your Web Server. None will have Source Address 100.100.100.255. Instead, they will have Source Address 100.100.100.X, with 1<=X<=254. (2) Let's suppose I block packets leaving my network with a destination address of X.X.X.255. This would tend to prevent users on my network from initiating smurf attacks (in the above example, they would be unable to send packets to the 100.100.100.255 amplifier). But this is an incredibly suboptimal way of preventing my users from launching smurf attacks. What I actually implement is filters that prevent packets from leaving my network with a source address that isn't in my address space. This makes it impossible for my users to smurf anyone but me (because, using the above example again, they can't get the packets with Source Address 200.200.5.5 out of my network). In other words, blocking Source Address=X.X.X.255 inbound does absolutely nothing to prevent your network from being smurfed, and as long as you properly configure to prevent source-address forgery, blocking Destination Address=X.X.X.255 from leaving your network is superfluous. (Of course, blocking Destination Address=X.X.X.255 from coming in is strictly a personal decision. If you know all your networks are at least as big as a /24, and you know that you don't use X.X.X.255 and X.X.X.0, then blocking inbound packets to X.X.X.255 is a perfectly valid way to configure your router to prevent yourself from being used as an amplifier. But that doesn't require that *other people* refrain from using X.X.X.{0|255}, only that you do.) - Brett (brettf@netcom.com) ------------------------------------------------------------------------------ ... Coming soon to a | Brett Frankenberger .sig near you ... a Humorous Quote ... | brettf@netcom.com