Date: Wed, 11 Feb 1998 17:05:11 -0600 (CST) From: Kevin Day <toasty@home.dragondata.com> To: isp@FreeBSD.ORG Subject: Access lists Message-ID: <199802112305.RAA05162@home.dragondata.com>
next in thread | raw e-mail | index | archive | help
This really has little to do with FreeBSD, but more towards ISP's...
1) If you're not filtering your outgoing packets with router access lists, a
firewall, or anything else. Please do. Make sure packets from your class C
(or whatever else you may have) are the only things getting out.
This would effectively stop spoofing from 90% of its sources.
2) You improve your own security by quite a bit by filtering what comes in
to you. Don't let your router accept packets that look like they're form
your class C, from the wrong side of the net, don't accept any packets from
127.*.*.*, or any broadcast addresses...
If you've got a cisco, here's a sample configuration.
interface Serial0
ip access-group 101 in
ip access-group 102 out
!
no access-list 102
no access-list 101
access-list 101 deny ip 204.137.237.0 0.0.0.255 any
! replace 204.137.237.0 with your class C address. I fyou dont' have a class
! C, you'll have to change the netmask that follows it.
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
! Don't let people spoof the loopback addresses.
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
!Don't let people spoof, or otherwise use 'internal/test' IP's.
access-list 101 deny ip any 0.0.0.255 255.255.255.0
access-list 101 deny ip any 0.0.0.0 255.255.255.0
! Don't let people use .255 or .0 addresses.
access-list 101 permit ip any any
access-list 102 permit ip 204.137.237.0 0.0.0.255 any
!Only let my IP range out, nothing more.
access-list 102 deny ip any any
For those of you not convinced that each of those are needed, here's a
report after only 2 days of use.
Extended IP access list 101
deny ip 204.137.237.0 0.0.0.255 any (3479 matches)
deny ip 127.0.0.0 0.255.255.255 any (494 matches)
deny ip 10.0.0.0 0.255.255.255 any (896 matches)
deny ip 172.16.0.0 0.15.255.255 any (154 matches)
deny ip 192.168.0.0 0.0.255.255 any (1326 matches)
deny ip any 0.0.0.255 255.255.255.0 (2 matches)
deny ip any 0.0.0.0 255.255.255.0 (1 match)
permit ip any any (62379930 matches)
Does anyone have any suggestions for any other lines to add?
If you don't know your way around a Cisco's config, don't blindly go adding
things. :) Have your Cisco guru do it, rather than killing me later. :)
This e-mail comes form frustration out of people spoofing like crazy lately.
:)
Kevin Day
DragonData
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199802112305.RAA05162>