From owner-freebsd-isp Thu Nov 30 9:47:53 2000 Delivered-To: freebsd-isp@freebsd.org Received: from oasis.fireblue.com (oasis.fireblue.com [216.4.163.4]) by hub.freebsd.org (Postfix) with SMTP id 67A8C37B402 for ; Thu, 30 Nov 2000 09:47:45 -0800 (PST) Received: (qmail 23310 invoked by uid 1001); 30 Nov 2000 17:47:35 -0000 Date: Thu, 30 Nov 2000 19:47:35 +0200 From: Abraham vd Merwe To: FreeBSD ISP Related Questions Subject: Re: Danger Ports Message-ID: <20001130194735.A23238@oasis.fireblue.com> Mail-Followup-To: FreeBSD ISP Related Questions References: <200011301743.JAA44928@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011301743.JAA44928@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Thu, Nov 30, 2000 at 09:43:57 -0800 Organization: Frogfoot Networks X-Operating-System: Debian GNU/Linux oasis 2.2.17 i686 X-GPG-Public-Key: http://oasis.frogfoot.net/keys/frogfoot.gpg X-Uptime: 7:44pm up 4 days, 18:03, 9 users, load average: 0.00, 0.00, 0.00 X-Edited-With-Muttmode: muttmail.sl - 2000-11-20 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Rodney! > Please do all the rest of us a favor and filter the > packets to reserved networks, not just from them. > =20 > > this is right out of the ACL for my core router.. > >=20 > > ! reserved networks =20 > > access-list 110 deny ip 127.0.0.0 0.0.0.255 any log > > access-list 110 deny ip 10.0.0.0 0.255.255.255 any log > > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > > access-list 110 deny ip 192.168.0.0 0.0.255.255 any log >=20 > access-list 110 deny ip any 127.0.0.0 0.0.0.255 log > access-list 110 deny ip any 10.0.0.0 0.255.255.255 log > access-list 110 deny ip any 172.16.0.0 0.15.255.255 log > access-list 110 deny ip any 172.31.0.0 0.0.255.255 log > access-list 110 deny ip any 192.168.0.0 0.0.255.255 log Actually I have a more complete spoofing template for you: !! !! Spoofing ACL !! ! Deny any packets from the RFC 1918, IANA reserved, test, ! multicast as a source, and loopback netblocks to block ! attacks from commonly spoofed IP addresses. ! All zero, all one access-list 2000 deny ip 0.0.0.0 0.255.255.255 any access-list 2000 deny ip host 255.255.255.255 any ! Claims it came from the inside network, yet arrives on the ! outside (read: Internet) interface. Do not use this if CEF ! has been configured to take care of spoofing. access-list 2000 deny ip 216.4.163.0 0.0.0.63 any access-list 2000 deny ip 216.4.162.104 0.0.0.7 any access-list 2000 deny ip 216.5.193.128 0.0.0.7 any access-list 2000 deny ip 216.5.193.160 0.0.0.3 any ! IANA reserved access-list 2000 deny ip 1.0.0.0 0.255.255.255 any access-list 2000 deny ip 2.0.0.0 0.255.255.255 any ! Loopback access-list 2000 deny ip 127.0.0.0 0.255.255.255 any ! RFC 1918 access-list 2000 deny ip 10.0.0.0 0.255.255.255 any access-list 2000 deny ip 192.168.0.0 0.0.255.255 any access-list 2000 deny ip 172.16.0.0 0.15.255.255 any ! Link local reserved access-list 2000 deny ip 169.254.0.0 0.0.255.255 any ! IANA example network access-list 2000 deny ip 192.0.2.0 0.0.0.255 any ! Multicast access-list 2000 deny ip 224.0.0.0 15.255.255.255 any ! Experimental access-list 2000 deny ip 240.0.0.0 15.255.255.255 any ! Allow IP access to the intranet (firewall filters specific ports) access-list 2000 permit ip any 216.4.163.0 0.0.0.63 access-list 2000 permit ip any 216.4.162.104 0.0.0.7 access-list 2000 permit ip any 216.5.193.128 0.0.0.7 access-list 2000 permit ip any 216.5.193.160 0.0.0.3 ! Our explicit (read: logged) drop all rule access-list 2000 deny any any --=20 Regards Abraham Laws are like sausages. It's better not to see them being made. -- Otto von Bismarck ___________________________________________________ Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks P.O. Box 3472, Matieland, Stellenbosch, 7602 Cell: +27 82 565 4451 - Tel: +27 21 887 8703 Http: http://www.frogfoot.net Email: abz@frogfoot.net --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6JpK3V+L3lxo9wFURAmgfAJwIpASssV7L6dmzar/0HwQMfS1YpQCgklcL /NKc6qj+99t2UMpwsi9OcSs= =tAx9 -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message