[Dshield] Re: ICMP destination unreachable

Fitton, Robert "Bob" BFitton at laborready.com
Tue Nov 6 00:15:54 GMT 2001


>from William Sipila:
>hmmm... i was just looking at the router config: should i kill oubound
>packets going *to* the reserved addresses, or outbound packets 
>*from* the reserved addresses (ie: from the inside)?  or both?  :)

kill inbound (from Internet to your net) FROM any and all illegal
addresses
and kill outbound TO same

Here's the anti-spoofing portion of my ingress list (fwiw - recommended
by some doc that I read a while back); the egress list is a mirror
opposite:

deny ip source-address   destination-address
---- -- --------------   -------------------
deny ip 10.0.0.0 0.255.255.255  any
deny ip 172.16.0.0 0.15.255.255  any
deny ip 192.168.0.0 0.0.255.255  any
deny ip 169.254.0.0 0.0.255.255  any
deny ip A.B.C.0 0.0.0.255  any  <-- this is to block spoofing of our
network, A.B.C.x
deny ip 192.0.2.0 0.0.0.255  any
deny ip 0.0.0.0 0.255.255.255  any
deny ip 127.0.0.0 0.255.255.255  any
deny ip 224.0.0.0 31.255.255.255  any

Anybody care to add or improve on this?

-
Bob Fitton, Network Specialist
Labor Ready Inc
Tacoma, WA




More information about the list mailing list