aks@somewhere.ucsb.edu (Alan Stebbens) (09/27/90)
We have a P4200 with IP routing, and we are trying to setup a selective
filter using the "access-control" feature, where except for a few,
special IP addresses, IP traffic to or from any systems on a small range
of subnets is supressed. This can be done using access lists on cisco
routers, with their combination of "permit" and "deny" keywords on each
list. We cannot figure out how to do this on the P4200, using either
the "inclusive" or "exclusive" modes.
To make this clear: we want to limit access of systems on two subnets to
just a few machines in another subnet. For example: we have systems on
subnets 128.111.1.0 and 128.111.2.0 which we want to restrict access to
those systems only coming from 128.111.3.0 (not the real subnet
numbers). In other words, access from any other network, or any other
subnets within our own network is to be denied to the systems on our
subnets 1 and 2. Try to construct an "exclusive" access-control list
which does this (hint: it's possible, but incredibly complicated, and
requires enumeration of all networks above 128.111.0.0).
Is there any plan to enhance the access-control feature to allow both
"permit" and "deny" style address filters? Is V8.1a the latest version?
Should we punt and buy cisco?
Alan Stebbens Computer Resource Manager
Center for Computational Sciences and Engineering (CCSE)
University of California, Santa Barbara
3111 Engineering I
Santa Barbara, CA 93106
Internet: aks@hub.ucsb.edu
BITNET: aks%hub@ucsbuxa.bitnet
UUCP: ...{ucbvax,sdcsvax,cepu}!ucsbcsl!aks
Voice: (805) 893-8135 (CCSE Office: 893-3221)
--
Alan Stebbens <aks@hub.ucsb.edu>medin@NSIPO.NASA.GOV ("Milo S. Medin", NASA ARC NSI Project Office) (09/27/90)
Alan, I don't see what the problem is... Use inclusive access control. Unless I know your particular subnet numbers, I can't tell you what masks to use however. Note that your mask doesn't have to deal with a subnet or network. If you did the following: 128.111.128.0 FFFF8000 0.0.0.0 00000000 0.0.0.0 00000000 128.111.128.0 FFFF8000 I think you would get everything over subnet 128 to be allowed to talk to the outside world. Even if the 2 subnets aren't adjacent, it doesn't take much to set it up. Use the mask feature. It's extremely powerful, and the way Proteon implemented it is relatively efficient for forwarding rates... The manual isn't very nourishing in this area, but it's terse and very concise, and tells you what you need to know. With OSPF we now have variable length subnet masks, so we all need to start thinking in terms of masking and matching for routing as well as access control. Thanks, Milo
aks@HUB.UCSB.EDU (Alan Stebbens) (09/27/90)
> Alan, I don't see what the problem is... Use inclusive access control. > > Unless I know your particular subnet numbers, I can't tell you what > masks to use however. Note that your mask doesn't have to deal with > a subnet or network. If you did the following: > > 128.111.128.0 FFFF8000 0.0.0.0 00000000 > 0.0.0.0 00000000 128.111.128.0 FFFF8000 > > I think you would get everything over subnet 128 to be allowed to talk > to the outside world. Even if the 2 subnets aren't adjacent, it doesn't take > much to set it up. Use the mask feature. It's extremely powerful, > and the way Proteon implemented it is relatively efficient for forwarding > rates... The manual isn't very nourishing in this area, but it's > terse and very concise, and tells you what you need to know. Milo, A problem with this is that the router in question has five active interfaces: three Ethernets, one 80MB fiber token-ring, and one synchronous serial. It would be applying these filters against all packets, regardless of which interface they came from. We don't want to filter packets EXCEPT those destined or sourced from a couple of restricted subnets in our network. Essentially, we want to limit access to hosts on the restricted subnets to hosts on another subnet, all within the same Class B network. I *have* used masks; I *know* how to use masks; we administrate several cisco routers and terminal servers with access lists, using masks, and I've been playing with the Proteon access controls for more than a little while. On the other hand, there probably are some cute tricks with masks to which I've not been exposed. I'll try again: Here's the desired filter using an English-like PDL: Addr := IPSrcAddr or IPDestAddr IF (IPSrcAddr is in subnet 128.111.43.0 or IPSrcAddr is in subnet 128.111.44.0) and IPDstAddr is not in subnet 128.111.24.0) THEN drop it ELSE route it I don't believe that, currently, under 8.1a, it is possible to do this with the access-control lists. I may be wrong, of course, but I'd have to be shown how to do it, at this point. My purpose in the mailing was not to illustrate how clueless I am (although that may have been an unintended side-effect :^), but to point out that, IMHO, there is a serious deficiency in Proteon's access-controls mechanism. In a private mailing from someone at Proteon, it turns out that there is a new software load, not generally available yet, which is purported to address this issue. Apparently, we're not the first to stumble on more than simple filtering problems. Thanks for your response, though. Alan Stebbens Computer Resource Manager Center for Computational Sciences and Engineering (CCSE) University of California, Santa Barbara 3111 Engineering I Santa Barbara, CA 93106 Internet: aks@hub.ucsb.edu BITNET: aks%hub@ucsbuxa.bitnet UUCP: ...{ucbvax,sdcsvax,cepu}!ucsbcsl!aks Voice: (805) 893-8135 (CCSE Office: 893-3221)