From owner-freebsd-isp Wed Feb 11 15:05:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA09921 for freebsd-isp-outgoing; Wed, 11 Feb 1998 15:05:33 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from home.dragondata.com (toasty@home.dragondata.com [204.137.237.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA09885 for ; Wed, 11 Feb 1998 15:05:16 -0800 (PST) (envelope-from toasty@home.dragondata.com) Received: (from toasty@localhost) by home.dragondata.com (8.8.5/8.8.5) id RAA05162 for isp@freebsd.org; Wed, 11 Feb 1998 17:05:11 -0600 (CST) From: Kevin Day Message-Id: <199802112305.RAA05162@home.dragondata.com> Subject: Access lists To: isp@FreeBSD.ORG Date: Wed, 11 Feb 1998 17:05:11 -0600 (CST) X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This really has little to do with FreeBSD, but more towards ISP's... 1) If you're not filtering your outgoing packets with router access lists, a firewall, or anything else. Please do. Make sure packets from your class C (or whatever else you may have) are the only things getting out. This would effectively stop spoofing from 90% of its sources. 2) You improve your own security by quite a bit by filtering what comes in to you. Don't let your router accept packets that look like they're form your class C, from the wrong side of the net, don't accept any packets from 127.*.*.*, or any broadcast addresses... If you've got a cisco, here's a sample configuration. interface Serial0 ip access-group 101 in ip access-group 102 out ! no access-list 102 no access-list 101 access-list 101 deny ip 204.137.237.0 0.0.0.255 any ! replace 204.137.237.0 with your class C address. I fyou dont' have a class ! C, you'll have to change the netmask that follows it. access-list 101 deny ip 127.0.0.0 0.255.255.255 any ! Don't let people spoof the loopback addresses. access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any !Don't let people spoof, or otherwise use 'internal/test' IP's. access-list 101 deny ip any 0.0.0.255 255.255.255.0 access-list 101 deny ip any 0.0.0.0 255.255.255.0 ! Don't let people use .255 or .0 addresses. access-list 101 permit ip any any access-list 102 permit ip 204.137.237.0 0.0.0.255 any !Only let my IP range out, nothing more. access-list 102 deny ip any any For those of you not convinced that each of those are needed, here's a report after only 2 days of use. Extended IP access list 101 deny ip 204.137.237.0 0.0.0.255 any (3479 matches) deny ip 127.0.0.0 0.255.255.255 any (494 matches) deny ip 10.0.0.0 0.255.255.255 any (896 matches) deny ip 172.16.0.0 0.15.255.255 any (154 matches) deny ip 192.168.0.0 0.0.255.255 any (1326 matches) deny ip any 0.0.0.255 255.255.255.0 (2 matches) deny ip any 0.0.0.0 255.255.255.0 (1 match) permit ip any any (62379930 matches) Does anyone have any suggestions for any other lines to add? If you don't know your way around a Cisco's config, don't blindly go adding things. :) Have your Cisco guru do it, rather than killing me later. :) This e-mail comes form frustration out of people spoofing like crazy lately. :) Kevin Day DragonData To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message