North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Martian list of IP's to block???
- From: bmanning
- Date: Fri Oct 01 11:49:56 1999
> I used the ones Cisco outlined in their document IOS Essentials every ISP
> Should Know. Here is a copy of the list I use for out clients:
> deny ip host 0.0.0.0 any log
> deny ip 127.0.0.0 0.255.255.255 any log
> deny ip 10.0.0.0 0.255.255.255 any log
> deny ip 172.16.0.0 0.15.255.255 any log
> deny ip 192.168.0.0 0.0.255.255 any log
> deny ip xxx.xxx.xxx.0 0.0.0.255 any log
> deny ip 220.127.116.11 18.104.22.168 any log
> We are denyingy anyone that claims that their IP address is 0.0.0.0,
> Loopback addresses, all of the RFC 1918 addresses, address coming into us
> claiming they belong to our subnet, and multicast addresses. It seems to
> work for us. I also turn of ip directed broadcasts to minimize smurf/DoS
> attacks. If you would like a copy of the document I used, let me know and
> I'll e-mail a copy to you.
Its also useful to block
192.0.2.0/24 - the test network. so designated for documentation use
169.254.0.0/16 - the link-local network.
I'm not convinced that blocking native multicast is a good idea.