[Dshield] Re: ICMP destination unreachable

Uros Vovcak urosv at g-kabel.si
Tue Nov 6 08:04:32 GMT 2001


What about...
005/8  IANA - Private Use
010/8  IANA - Private Use
023/8  IANA - Reserved
027/8  IANA - Reserved
031/8  IANA - Reserved
037/8  IANA - Reserved
039/8  IANA - Reserved
041/8  IANA - Reserved
042/8  IANA - Reserved
058/8  IANA - Reserved
059/8  IANA - Reserved
060/8  IANA - Reserved
069-079/8 IANA - Reserved
082-095/8 IANA - Reserved
096-126/8 IANA - Reserved
127/8  IANA - Reserved
197/8  IANA - Reserved
220-223/8       IANA - Reserved
224-239/8 IANA - Multicast
240-255/8 IANA - Reserved
========================
Uros Vovcak
Admin mreze Gorenjski kabel
Si - Slovenija
urosv at g-kabel.si
========================
----- Original Message -----
From: "Fitton, Robert "Bob"" <BFitton at laborready.com>
To: <dshield at dshield.org>
Sent: Tuesday, November 06, 2001 1:15 AM
Subject: RE: [Dshield] Re: ICMP destination unreachable


> >from William Sipila:
> >hmmm... i was just looking at the router config: should i kill oubound
> >packets going *to* the reserved addresses, or outbound packets
> >*from* the reserved addresses (ie: from the inside)?  or both?  :)
>
> kill inbound (from Internet to your net) FROM any and all illegal
> addresses
> and kill outbound TO same
>
> Here's the anti-spoofing portion of my ingress list (fwiw - recommended
> by some doc that I read a while back); the egress list is a mirror
> opposite:
>
> deny ip source-address   destination-address
> ---- -- --------------   -------------------
> deny ip 10.0.0.0 0.255.255.255  any
> deny ip 172.16.0.0 0.15.255.255  any
> deny ip 192.168.0.0 0.0.255.255  any
> deny ip 169.254.0.0 0.0.255.255  any
> deny ip A.B.C.0 0.0.0.255  any  <-- this is to block spoofing of our
> network, A.B.C.x
> deny ip 192.0.2.0 0.0.0.255  any
> deny ip 0.0.0.0 0.255.255.255  any
> deny ip 127.0.0.0 0.255.255.255  any
> deny ip 224.0.0.0 31.255.255.255  any
>
> Anybody care to add or improve on this?
>
> -
> Bob Fitton, Network Specialist
> Labor Ready Inc
> Tacoma, WA
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>




More information about the list mailing list