[45725] in North American Network Operators' Group
Re: it's here
daemon@ATHENA.MIT.EDU (kevin graham)
Wed Feb 13 13:55:35 2002
Date: Wed, 13 Feb 2002 10:55:03 -0800 (PST)
From: kevin graham <kgraham@dotnetdotcom.org>
To: Eric Brandwine <ericb@UU.NET>
Cc: Sean Donelan <sean@donelan.com>, <nanog@merit.edu>
In-Reply-To: <gu9g045jlje.fsf@rampart.argfrp.us.uu.net>
Message-ID: <20020213103347.I299-100000@lutra.i.dotnetdotcom.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
> OK, but that's filtering. The telnet/ssh/snmp daemon is still
> listening on all interfaces. You can't get there, as long as your
> filter stands, but those are some hard filters to write.
Creating a 'source interface' ACL for local services (vty's, snmp, sshd,
*cough* httpd), etc would suit the purpose nicely, and make the GRE
approach feasible w/o touching production paths. ...and an on-going wish
of mine for an 'evaluate <extended _or_ reflexive>' syntax would simplify
the maintance of ACL's in general. But of course, even under 12.2
snmp-server still insists on numbered acl's so maybe this is all overly
optimistic.
..kg..
