Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Nov 2000 13:02:44 -0500 (EST)
From:      Igor Roshchin <str@giganda.komkon.org>
To:        freebsd-security@freebsd.org
Subject:   Re: Danger Ports
Message-ID:  <200011301802.NAA27215@giganda.komkon.org>
In-Reply-To: <200011301743.JAA44928@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
> From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
> Subject: Re: Danger Ports
> Date: Thu, 30 Nov 2000 09:43:57 -0800 (PST)
>
> Please do all the rest of us a favor and filter the
> packets to reserved networks, not just from them.
>  
> > this is right out of the ACL for my core router..
> > 
> > ! reserved networks  
> > access-list 110 deny   ip 127.0.0.0 0.0.0.255 any log
> > access-list 110 deny   ip 10.0.0.0 0.255.255.255 any log
> > access-list 110 deny   ip 172.16.0.0 0.15.255.255 any log
> > access-list 110 deny   ip 172.31.0.0 0.0.255.255 any log
> > access-list 110 deny   ip 192.168.0.0 0.0.255.255 any log
>
> access-list 110 deny   ip any 127.0.0.0 0.0.0.255 log
> access-list 110 deny   ip any 10.0.0.0 0.255.255.255 log
> access-list 110 deny   ip any 172.16.0.0 0.15.255.255 log
> access-list 110 deny   ip any 172.31.0.0 0.0.255.255 log
> access-list 110 deny   ip any 192.168.0.0 0.0.255.255 log
>
>

I am not sure if filtering some reserved networks would not stop legible
traffic for some people. E.g. Home.net (@Home, @Work)
is using 10.0.0.0 to number their aggregation routers. Thus its
users will probably suffer if they block this network at the firewall.

Regards,

Igor

PS.
Here is how a traceroute output  looks for a client of @Work:
 1  local router ...
 2  10.252.4.49 (10.252.4.49)  16.012 ms  12.834 ms  12.852 ms
 3  10.252.6.1 (10.252.6.1)  11.823 ms  7.354 ms  4.556 ms
 4  c1-pos6-0.hrfrct1.home.net (24.7.74.65)  3.496 ms  15.956 ms  2.303 ms
 5  c1-pos6-0.nycmny1.home.net (24.7.69.2)  5.043 ms  7.764 ms  15.248 ms
 6  c1-pos8-0.cmdnnj1.home.net (24.7.65.229)  15.514 ms  22.998 ms  9.477 ms
 7  24.7.69.33 (24.7.69.33)  66.412 ms  66.057 ms  79.060 ms
 8  24.7.76.81 (24.7.76.81)  77.324 ms  65.984 ms  77.516 ms
 9  bb1-pos1-0.rwc1.sfba.home.net (24.7.74.118)  66.701 ms  78.673 ms  66.758 ms
10  bfr-ge0-0.excite.com (24.7.70.34)  67.170 ms  66.809 ms  77.240 ms
11  192.168.249.139 (192.168.249.139)  81.213 ms  68.489 ms  81.637 ms
12  192.168.251.4 (192.168.251.4)  67.023 ms  164.883 ms  173.432 ms
13  nblb1.dmz.home.net (199.172.150.100)  179.639 ms  178.223 ms  197.902 ms



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011301802.NAA27215>