Firewall Wizards mailing list archives
RE: egress/ingress filtering
From: shewitt () cdw com
Date: Thu, 15 Feb 2001 15:24:59 -0600
I was just looking over the internet draft referenced below, and I was confused with the access-list example given in the document. This is an excerpt from the internet draft: 4. Access Control suggestions: In todays network, it is prudent to control access. In the case of these special use prefixes, it is generally a good idea to filter them so they do not propagate. After all, you don't want someone else's use of these prefixes to taint your environment. All of these address classes should be invalid as source addresses (except where negotiated in advance), and very few should be permitted as destination addresses (Multicast for example, should be permitted as a destination, just not as a source). An example of one form of access control is listed below: ... access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 240.0.0.0 15.255.255.255 any access-list 100 permit ip any any ... If it is representing Cisco IOS syntax, and we analyze one of the lines: access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 Doesn't this say: Deny all traffic with a source IP address in the range 127.0.0.0/8 and a destination address of 255.0.0.0/8? If we wanted to deny all traffic with a source of 127.0.0.0/8 OR to deny all traffic with a destination address of 127.0.0.0/8 we'd have to use two separate access-list lines: access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip any 127.0.0.0 0.255.255.255 Can somebody confirm my confusion, or please clear this up for me? Thanks! --Scott Hewitt -----Original Message----- From: Irwin R. Naumann [mailto:irwin () thinkage ca] Sent: February 15, 2001 01:08 PM To: firewall-wizards () nfr com Subject: [fw-wiz] egress/ingress filtering I know that one should do egress/ingress filtering on one's network border(s) of the private networks described in RFC1918 (10.0.0.0/8, 172.16.0.0.0/12, 192.168.0.0/16) and anti-spoofing of one's own address blocks. Bill Manning expanded this list to include: 0.0.0.0/8 127.0.0.0/8 192.0.2.0/24 169.254.0.0/16 all D/E space (with a caveat on Class D - multicast address space) in http://search.ietf.org/internet-drafts/draft-manning-dsua-06.txt. Is there an RFC or internet draft other than Bill Manning's that documents special prefixes? Are these ALL the special prefixes? Why aren't "IANA - Reserved" blocks as found in http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space included in egress/ingress filtering examples? Irwin _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- egress/ingress filtering Irwin R. Naumann (Feb 15)
- Re: egress/ingress filtering Crist Clark (Feb 16)
- <Possible follow-ups>
- RE: egress/ingress filtering shewitt (Feb 16)
- Re: egress/ingress filtering Bill_Royds (Feb 16)
- Re: egress/ingress filtering Crist Clark (Feb 16)
- Re: egress/ingress filtering Ryan Russell (Feb 17)
- Re: egress/ingress filtering Crist Clark (Feb 16)
- Re: egress/ingress filtering Irwin R. Naumann (Feb 16)
- Re: egress/ingress filtering Crist Clark (Feb 16)