Many ISP's do not know enough to filter the RFC1918 space, or only do so on the border routers and not internally.
Another good idea is to filter out-going packets by source address, allowing through only those whose source is supposed to be inside the network. Anything with a source of address which is RFC1918 is suspect. > I run a potato server on an ethernet behind a firewall > connected by dsl to the internet. The only service exposed > is ftp, In the middle of last night ippl reported an ftp > connection attempt from 192.168.1,1 The network behind my > firewall uses 192.168.75.xx addressses for one Redhat and a > couple of Windows machines as well as the debian ftp server. > Any idea where the 192.168.1.1 attempt is coming from? Is it > likely to have been spoofed over the internet as part of an attack? > > -- > ---> Hal <----> [EMAIL PROTECTED] <---
