Date: Mon, 24 Jun 1996 23:58:10 +0900 (JST) From: Michael Hancock <michaelh@cet.co.jp> To: Ollivier Robert <roberto@keltia.freenix.fr> Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.SV4.3.93.960624235426.7164A-100000@parkplace.cet.co.jp> In-Reply-To: <199606241143.NAA09908@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Maybe someone should ask pu.ru to filter outgoing non-pu.ru packets. Some ISPs do this. On Mon, 24 Jun 1996, Ollivier Robert wrote: > It seems that Jordan K. Hubbard said: > > How do you install such things on a cisco 2500? :-) Seriously, if > > there's a way then I can get someone from cisco to help me out, but I > > first need to know that it's even a reasonable request. > > If you use Serial0 for the Internet and A.B.C.0/24 in your internal > network, use something like the following: > > ! > ! Refuses loose/strict source routed packets > ! > no ip source-route > ! > interface Serial0 > ip address A.B.C.254 255.255.255.0 > ip access-g 100 in > ip access-g 101 out > > ... > > ! access list for incoming packets > ! should fix most of the new attacks when a spoofed packet > ! is trying to come from the outside with a source address > ! from our network which is impossible. > ! > no access-list 100 > ! > ! Rejects our own addresses C-Class A.B.C.0/24 > ! > access-list 100 deny ip A.B.C.0 0.0.0.255 any > ! > ! Rejects EPITA B-Class 163.5.0.0/16 > ! > access-list 100 deny ip 163.5.0.0 0.0.255.255 any > ! > ! Rejects special addresses > ! > access-list 100 deny ip 127.0.0.0 0.255.255.255 any > ! > ! RFC-1918 IANA reserved A/B/C classes > ! A-Class 10.0.0.0/8 > ! > access-list 100 deny ip 10.0.0.0 0.255.255.255 any > ! > ! B-Classes 172.16.0.0/12 > ! > access-list 100 deny ip 172.16.0.0 0.15.255.255 any > ! > ! C-Classes 192.168.0.0/16 > ! > access-list 100 deny ip 192.168.0.0 0.0.255.255 any > ! > ! Accepts the rest > ! > access-list 100 permit ip any A.B.C.0 0.0.0.255 > > -- > Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 2.2-CURRENT #11: Thu Jun 13 11:01:47 MET DST 1996 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SV4.3.93.960624235426.7164A-100000>