Date: Thu, 30 Nov 2000 13:02:44 -0500 (EST) From: Igor Roshchin <str@giganda.komkon.org> To: freebsd-security@freebsd.org Subject: Re: Danger Ports Message-ID: <200011301802.NAA27215@giganda.komkon.org> In-Reply-To: <200011301743.JAA44928@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> > Subject: Re: Danger Ports > Date: Thu, 30 Nov 2000 09:43:57 -0800 (PST) > > Please do all the rest of us a favor and filter the > packets to reserved networks, not just from them. > > > this is right out of the ACL for my core router.. > > > > ! reserved networks > > access-list 110 deny ip 127.0.0.0 0.0.0.255 any log > > access-list 110 deny ip 10.0.0.0 0.255.255.255 any log > > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > > access-list 110 deny ip 192.168.0.0 0.0.255.255 any log > > access-list 110 deny ip any 127.0.0.0 0.0.0.255 log > access-list 110 deny ip any 10.0.0.0 0.255.255.255 log > access-list 110 deny ip any 172.16.0.0 0.15.255.255 log > access-list 110 deny ip any 172.31.0.0 0.0.255.255 log > access-list 110 deny ip any 192.168.0.0 0.0.255.255 log > > I am not sure if filtering some reserved networks would not stop legible traffic for some people. E.g. Home.net (@Home, @Work) is using 10.0.0.0 to number their aggregation routers. Thus its users will probably suffer if they block this network at the firewall. Regards, Igor PS. Here is how a traceroute output looks for a client of @Work: 1 local router ... 2 10.252.4.49 (10.252.4.49) 16.012 ms 12.834 ms 12.852 ms 3 10.252.6.1 (10.252.6.1) 11.823 ms 7.354 ms 4.556 ms 4 c1-pos6-0.hrfrct1.home.net (24.7.74.65) 3.496 ms 15.956 ms 2.303 ms 5 c1-pos6-0.nycmny1.home.net (24.7.69.2) 5.043 ms 7.764 ms 15.248 ms 6 c1-pos8-0.cmdnnj1.home.net (24.7.65.229) 15.514 ms 22.998 ms 9.477 ms 7 24.7.69.33 (24.7.69.33) 66.412 ms 66.057 ms 79.060 ms 8 24.7.76.81 (24.7.76.81) 77.324 ms 65.984 ms 77.516 ms 9 bb1-pos1-0.rwc1.sfba.home.net (24.7.74.118) 66.701 ms 78.673 ms 66.758 ms 10 bfr-ge0-0.excite.com (24.7.70.34) 67.170 ms 66.809 ms 77.240 ms 11 192.168.249.139 (192.168.249.139) 81.213 ms 68.489 ms 81.637 ms 12 192.168.251.4 (192.168.251.4) 67.023 ms 164.883 ms 173.432 ms 13 nblb1.dmz.home.net (199.172.150.100) 179.639 ms 178.223 ms 197.902 ms To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011301802.NAA27215>