On Fri, 9 Feb 2001, Mark Teicher wrote:
> If your upstream provider or Service Provider does not filter private
> addresses, ask them to do so, and suggest the following filter changes to them
>
> !Block RFC 1918 on inbound interface from Service Provider
> access-list 150 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 150 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 150 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
> access-list 150 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
If anyone's applying this on their border router or asking an ISP to do
so, *please* *please* *please* also apply it outbound on the external
interface. If you're running a Cisco router outbound access lists are
definitely fast switched, if inbound are process switched, then the
inbound rule should go outbound on the internal interface(s) of the
border router(s) (If someone from Cisco could confirm or deny that inbound
access lists are still process switched that'd be a really good thing.)
Also, it's worth adding the default PnP DHCP address range (which I don't
have handy at the moment) to the list. I'd also add stuff sourced from
0.0.0.0 and 255.n.n.n.
FWIW, despite it being a very bad thing, a lot of people are using RFC1918
addresses in their external architecture, so ICMP and UDP from them isn't
uncommon. Nor is leaky NAT helping things these days :(
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
