Path: utzoo!attcan!uunet!mailrus!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!swrinde!ucsd!ucbvax!HUB.UCSB.EDU!aks
From: aks@HUB.UCSB.EDU (Alan Stebbens)
Newsgroups: comp.sys.proteon
Subject: Re: P4200 IP Router & access-control
Message-ID: <9009271604.AA06351@somewhere>
Date: 27 Sep 90 16:04:08 GMT
References: <9009262312.AA13769@cincsac.arc.nasa.gov>
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 70

> Alan, I don't see what the problem is...  Use inclusive access control.
> 
> Unless I know your particular subnet numbers, I can't tell you what
> masks to use however.  Note that your mask doesn't have to deal with
> a subnet or network.  If you did the following:
> 
> 128.111.128.0	FFFF8000	0.0.0.0		00000000 
> 0.0.0.0		00000000 	128.111.128.0	FFFF8000
> 
> I think you would get everything over subnet 128 to be allowed to talk
> to the outside world.  Even if the 2 subnets aren't adjacent, it doesn't take
> much to set it up.  Use the mask feature.  It's extremely powerful,
> and the way Proteon implemented it is relatively efficient for forwarding
> rates...  The manual isn't very nourishing in this area, but it's
> terse and very concise, and tells you what you need to know.

Milo,

A problem with this is that the router in question has five active
interfaces: three Ethernets, one 80MB fiber token-ring, and one
synchronous serial.  It would be applying these filters against all
packets, regardless of which interface they came from.  We don't want to
filter packets EXCEPT those destined or sourced from a couple of
restricted subnets in our network.  Essentially, we want to limit access
to hosts on the restricted subnets to hosts on another subnet, all
within the same Class B network.

I *have* used masks; I *know* how to use masks; we administrate several
cisco routers and terminal servers with access lists, using masks, and
I've been playing with the Proteon access controls for more than a
little while.  On the other hand, there probably are some cute tricks
with masks to which I've not been exposed.

I'll try again:

Here's the desired filter using an English-like PDL:

	Addr := IPSrcAddr or IPDestAddr
	IF   (IPSrcAddr is in subnet 128.111.43.0 
	   or IPSrcAddr is in subnet 128.111.44.0)
	  and IPDstAddr is not in subnet 128.111.24.0)
	THEN drop it
	ELSE route it

I don't believe that, currently, under 8.1a, it is possible to do this
with the access-control lists.  I may be wrong, of course, but I'd have
to be shown how to do it, at this point.

My purpose in the mailing was not to illustrate how clueless I am
(although that may have been an unintended side-effect :^), but to point
out that, IMHO, there is a serious deficiency in Proteon's
access-controls mechanism.

In a private mailing from someone at Proteon, it turns out that there is
a new software load, not generally available yet, which is purported to
address this issue.  Apparently, we're not the first to stumble on more
than simple filtering problems.

Thanks for your response, though.

Alan Stebbens   Computer Resource Manager
		Center for Computational Sciences and Engineering (CCSE)
		University of California, Santa Barbara
		3111 Engineering I
		Santa Barbara, CA 93106

Internet: aks@hub.ucsb.edu
BITNET:   aks%hub@ucsbuxa.bitnet
UUCP:     ...{ucbvax,sdcsvax,cepu}!ucsbcsl!aks
Voice:    (805) 893-8135 (CCSE Office: 893-3221)