|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: RFC 1918
On Sun, 16 Jul 2000, Bohdan Tashchuk wrote: > > The relevant snippet of my rules on my ingress filter is: > > 1) ... block bad things such as unused or spoofed addrs ... > 2) allow icmp from any to any icmptypes 0,3,4,11,12 > 3) deny ip from 10.0.0.0/8 to any > 4) deny ip from 172.16.0.0/12 to any > 5) deny ip from 192.168.0.0/16 to any > 6) allow tcp from any to any 1024-65535 established > 7) ... some other rules ... > 8) deny everything else by default > > Line #2 allows relatively benign incoming ICMP, such as "fragmentation > needed", but hopefully blocks the more problematic stuff. <SNIP> > If you take it upon yourself to "filter all RFC1918 usage" from the outside > world, you (and your customers) will suffer for it. Because it seems to be > established practice out there. The ruleset you use is great for a leaf-node. The problem it can represent on the borders of a larger network is that a lot of nice script kiddies like to spoof their source as RFC1918 space and since ICMP is 8 times out of 10 their payload, using such on the edges exposes the core (and potentially some poor customer of yours on a DS1, etc) to whatever level of hate-and-discontent you're capable of accepting on the borders. --- John Fraizer EnterZone, Inc
|