Cover V09, I06
New Messages

jun2000.tar


New Messages

From: Gene Wolski (gene.wolski@cskcorp.com)
Subject: clarification to Gil Held's article in March

Great article on router based network defenses by Gil Held in the March 2000 issue! Gil did leave one important item out of the access list: a permit entry to allow traffic in on that interface. I'm guessing that he covered the implicit deny all entry at the end of every access list in his Nov 99 article, but I can't locate my copy to confirm this. As listed on page 62, the access list will not allow any traffic in on the router's serial interface. Keep up the great work!

Gene Wolski

From: Chan Yen-Jet (YENJET@YAHOO.COM)
Subject: Router-Based Network Defense

I just read Router-Based Network Defense by Gil Held in the March 2000 issue. And I found that two configuration lines in the article are not correct:

access-list 101 deny ip 172.16.0.0 0.224.255.255 any
access-list 101 deny ip 172.16.0.0 0.31.255.255 any
I think the correct one should be:

access-list 101 deny ip 172.16.0.0 0.15.255.255 any
Correct me if I'm wrong. Thanks in advance.

Regards,
Chan Yen Jet

From: GHeld@compuserve.com
Subject: Clarification to Article

Thanks for your comments concerning the article Router-Based Network Defense published in the March 2000 issue of Sys Admin.

You are quite right in your comment that a permit entry is required at the end of the access list to allow anything other than what a person wants to explicitly block. In actuality, an organization will usually have a series of permit statements based upon the requirements for allowing access to certain networked devices and servies on those devices. In writing minor modules to illustrate concepts I overlooked this fact and appreciate your comments so we can set the record straight for readers.

The snippet of code was intended as an example to illustrate blocking certain potential spoofed addresses. As such it was correct except for a typo I will get to shortly, however, in the full context of a list it did not allow any packets to pass as there were no permit statements in the list. In retrospect I should have mentioned that a person would include one or more permit statements after the antispoofing statements. A second problem was a typo, where the statements:

access-list 101 deny ip 172.16.0.0 0.224.255.255 any
access-list 101 deny ip 172.16.0.0 0.31.255.255 any
should have been:

access-list 101 deny ip 172.16.0.0 0.15.255.255 any
For the life of me I can't figure out how the incorrect dotted decimal numbers got there, but their placement again reinforces the fact that one needs to double check each statement in a list. I appreciate the eagle eyes of readers who obviously checked the article in detail.

Regards,
Gil Held

From: Greg Shebert (greg@archelon-us.com)
Subject: feedback for samag.com (April 2000 issue)

Hi there... I was just recently able to browse through the latest issue of your magazine and I have to mention that the Perl Advisor column this month (April 2000) is absolutely silly... I have been a subscriber to Sys Admin off and on for some time now and with as much respect as I have for your magazine and as much respect as I have for Mr. Schwartz, I am surprised to see an article that has so little to do with:

a) Backup -- the subject matter of the April issue and

b) Systems administration

The silly Perl scripts presented in that article are nothing more than an example of text substitution via regular expression matching... Although this type of work with Perl can be used to do very useful things -- I'd like, in the future, to see it presented in a manner related to systems administration...

just my two cents worth
Greg Shebert

Greg: I appreciate your comment. I agree, “this type of work with Perl can be used to do very useful things”, which is why I wrote that particular column. There are literally dozens of reimplementations of text templating in the CPAN, and countless reinventions of the same in small ad-hoc programs in daily use, so I know the value of such. As a UNIX system administrator for many years, I found the power of Perl to perform such mundane tasks saved me substantial work on more than one occasion. While the specific task of generating a fill-in-the-blank story was meant to be merely a humorous vehicle to keep your interest, I had intended to also show how easy these templating tasks are with Perl, perhaps for those that were stumped at even the first step. If you personally got nothing from the column, my apologies -- this one wasn't for you. Keep reading, you're bound to learn something. :-)

Randal Schwartz