|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: RFC 1918
> Though technically you're right, this kind of attitude is exactly the > problem. Everyone should filter all RFC1918 usage on public links, > regardless of whether they themselves use is, or their customers use it, > or not. To not do such filtering is to be a bad neighbour. I'm just a home DSL user, and usually a fly on the wall for this mailing list. But I've found it beneficial to make a practical exception to your blanket condemnation of RFC1918 source addresses. I don't think there is much harm to it. The relevant snippet of my rules on my ingress filter is: 1) ... block bad things such as unused or spoofed addrs ... 2) allow icmp from any to any icmptypes 0,3,4,11,12 3) deny ip from 10.0.0.0/8 to any 4) deny ip from 172.16.0.0/12 to any 5) deny ip from 192.168.0.0/16 to any 6) allow tcp from any to any 1024-65535 established 7) ... some other rules ... 8) deny everything else by default Line #2 allows relatively benign incoming ICMP, such as "fragmentation needed", but hopefully blocks the more problematic stuff. I added this exception for a very practical reason. Without it there were many routers, generating ICMP messages using RFC1918 source addresses, whose error messages were important, but that I dropped at the firewall. Interestingly, these messages passed thru MANY intermediate routers that didn't block packets with RFC1918 source addresses. If you take it upon yourself to "filter all RFC1918 usage" from the outside world, you (and your customers) will suffer for it. Because it seems to be established practice out there. Of course I never send packets to the Internet with an RFC1918 address in them.
|