[Dshield] Re: ICMP destination unreachable

William Sipila william at osource.com
Wed Nov 7 00:53:10 GMT 2001


> kill inbound (from Internet to your net) FROM any and all illegal
> addresses and kill outbound TO same
> 
> Here's the anti-spoofing portion of my ingress list (fwiw - 
> recommended
> by some doc that I read a while back); the egress list is a mirror
> opposite:
> 
> deny ip source-address   destination-address
> ---- -- --------------   -------------------
> deny ip 10.0.0.0 0.255.255.255  any
> deny ip 172.16.0.0 0.15.255.255  any
> deny ip 192.168.0.0 0.0.255.255  any
> deny ip 169.254.0.0 0.0.255.255  any
> deny ip A.B.C.0 0.0.0.255  any  <-- this is to block spoofing of our
> network, A.B.C.x
> deny ip 192.0.2.0 0.0.0.255  any
> deny ip 0.0.0.0 0.255.255.255  any
> deny ip 127.0.0.0 0.255.255.255  any
> deny ip 224.0.0.0 31.255.255.255  any
> 
> Anybody care to add or improve on this?
> 
> -
> Bob Fitton, Network Specialist
> Labor Ready Inc
> Tacoma, WA

cool.  nice idea about blocking your own addresses.  this whole bit will
fill up my egress filters, but hey... ya gotta do what ya gotta do.

thanks for all the responses!!

	- will

--\/------------------------------------------------------------ 
    Developer/SysAdmin, OUTSOURCE Consulting Services, Inc. 
    william at osource.com | www.osource.com 
--/\------------------ 




More information about the list mailing list