Hi,
On Sun, Jun 02, 2002 at 02:20:35PM -0700, kevin graham wrote:
> > It might be possible to isolate the machine into its own /30, though -
> > give it its own vlan, and have the router proxy-arp to simulate its
> > existance on the corresponding "other" vlan. Ugly, but certainly worth
> > a try. Hmmm. As things happen, the machine has the IP address
> > <network>.7 - this is going to be tricky...
>
> You could always just setup a router doing bridging and apply ACL's
> there.. Performance would be undoubtedly miserable, but hopefully that's
> not a big concern for a hacked box..
Indeed performance *is* critical.
Anyway, the original tip got me started:
- create a new vlan interface
- IP address 10.1.1.1/24, CEF, unicast reverse path filtering
- move machine into that vlan (on switch)
- "ip route <machine's ip> 255.255.255.255 vlan<new> (on router)
- enable proxy-arp on old and new vlan
- clear arp
- wait for arp cache to expire on host itself
-> works like a charm
- outside machines can ping the box in question
- machines from "the same LAN" can ping the box in question
(via proxy-arp)
- the machine can't spew any more garbage, unicast RPF is catching that
Thanks :-) - this wasn't the answer to my question, but it solved my
problem, which is even better.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:58 EDT