Firewall Wizards mailing list archives
RE: egress/ingress filtering
From: shewitt () cdw com
Date: Thu, 15 Feb 2001 15:24:59 -0600
I was just looking over the internet draft referenced below, and I was
confused with the access-list example given in the document.
This is an excerpt from the internet draft:
4. Access Control suggestions:
In todays network, it is prudent to control access. In the case of
these
special use prefixes, it is generally a good idea to filter them so
they
do not propagate. After all, you don't want someone else's use of
these
prefixes to taint your environment. All of these address classes
should be
invalid as source addresses (except where negotiated in advance),
and very
few should be permitted as destination addresses (Multicast for
example,
should be permitted as a destination, just not as a source). An
example of
one form of access control is listed below:
...
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0
0.255.255.255
access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0
0.255.255.255
access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0
0.15.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0
0.0.255.255
access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0
0.0.0.255
access-list 100 deny ip 169.254.0.0 0.0.255.255 255.255.0.0
0.0.255.255
access-list 100 deny ip 240.0.0.0 15.255.255.255 any
access-list 100 permit ip any any
...
If it is representing Cisco IOS syntax, and we analyze one of the lines:
access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0
0.255.255.255
Doesn't this say:
Deny all traffic with a source IP address in the range 127.0.0.0/8
and a destination address of 255.0.0.0/8?
If we wanted to deny all traffic with a source of 127.0.0.0/8 OR to deny all
traffic with a destination address of 127.0.0.0/8 we'd have to use two
separate access-list lines:
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip any 127.0.0.0 0.255.255.255
Can somebody confirm my confusion, or please clear this up for me?
Thanks!
--Scott Hewitt
-----Original Message-----
From: Irwin R. Naumann [mailto:irwin () thinkage ca]
Sent: February 15, 2001 01:08 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] egress/ingress filtering
I know that one should do egress/ingress filtering on one's network
border(s)
of the private networks described in RFC1918 (10.0.0.0/8, 172.16.0.0.0/12,
192.168.0.0/16) and anti-spoofing of one's own address blocks.
Bill Manning expanded this list to include:
0.0.0.0/8
127.0.0.0/8
192.0.2.0/24
169.254.0.0/16
all D/E space (with a caveat on Class D - multicast address space)
in http://search.ietf.org/internet-drafts/draft-manning-dsua-06.txt.
Is there an RFC or internet draft other than Bill Manning's that documents
special prefixes?
Are these ALL the special prefixes?
Why aren't "IANA - Reserved" blocks as found in
http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space
included in egress/ingress filtering examples?
Irwin
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- egress/ingress filtering Irwin R. Naumann (Feb 15)
- Re: egress/ingress filtering Crist Clark (Feb 16)
- <Possible follow-ups>
- RE: egress/ingress filtering shewitt (Feb 16)
- Re: egress/ingress filtering Bill_Royds (Feb 16)
- Re: egress/ingress filtering Crist Clark (Feb 16)
- Re: egress/ingress filtering Ryan Russell (Feb 17)
- Re: egress/ingress filtering Crist Clark (Feb 16)
- Re: egress/ingress filtering Irwin R. Naumann (Feb 16)
- Re: egress/ingress filtering Crist Clark (Feb 16)