This is actually an incoming filter...
> acc 102 permit ip any 126.96.36.199 0.0.0.255
Ummmm.... disclaimer, I'm not an expert on this, but according to my
understanding of how Cisco access lists work, the incoming filter you
showed actually does nothing at all. The normal situation is that
packets are coming in from random addresses, destined for your
internal network. There is nothing in this filter that prevents your
own source addresses from being spoofed outside your border.
It seems to me that you want something more like this, which is what
we have in place:
acc 102 deny ip 188.8.131.52 0.0.0.255 any
acc 102 permit any any
It seems to work for us. Please let me know if I'm missing something here!
==>It seems to me that you want something more like this, which is what
==>we have in place:
==> acc 102 deny ip 184.108.40.206 0.0.0.255 any
==> acc 102 permit any any
==>It seems to work for us. Please let me know if I'm missing something here!
This works for stopping the spoofing of your own internal hosts from
getting packets into your network.
To stop the problem that's presented here (of packets flowing out of your
network with random IP addresses (as one can do on a Linux-box dial-up)),
you need an outbound filter based on source-address, like the following:
access-list 102 permit ip 220.127.116.11 0.0.0.255 any
access-list 102 permit ip 18.104.22.168 0.0.0.255 any
ip access-group 102 out
This will allow packets sourced from hosts in the
22.214.171.124-126.96.36.199 and 188.8.131.52-184.108.40.206 range out,
but other packets will be stopped at that router, including those SYN
floods with random source IP's.
Depending upon your network architecture, the optimal placement of these