nanog mailing list archives
Re: Ping flooding (fwd)
From: "Forrest W. Christian" <forrestc () imach com>
Date: Tue, 9 Jul 1996 17:26:39 -0600 (MDT)
Personally, I use the configuration script listed below on my internet-facing interface. This guarantees that all packets coming into my net are tagged with a source address OUTSIDE my net, and are bound for a host inside my net. Likewise, outbound packets MUST have an origin inside my net. This protects me from address spoofing from the rest of the net, and protects the rest of the net from my users. I've got similar filters on all of my customer-facing interfaces. -forrestc () imach com -- Start of Included File -- ! ! Configuration Script for IP Filtering on Internet-facing interface ! 101 is inbound ! 102 is outbound ! int s 0 no ip access-group 101 in no ip access-group 102 out exit no access-list 101 access-list 101 deny ip 204.94.230.0 0.0.1.255 any access-list 101 deny ip 204.182.240.0 0.0.15.255 any access-list 101 deny ip 199.5.171.0 0.0.0.255 any access-list 101 deny ip 199.5.172.0 0.0.0.255 any access-list 101 deny ip 205.166.211.0 0.0.0.255 any access-list 101 deny ip 206.127.64.0 0.0.63.255 any access-list 101 deny ip 206.58.180.0 0.0.1.255 any access-list 101 deny ip 206.58.182.0 0.0.0.255 any access-list 101 permit ip any 204.94.230.0 0.0.1.255 access-list 101 permit ip any 204.182.240.0 0.0.15.255 access-list 101 permit ip any 199.5.171.0 0.0.0.255 access-list 101 permit ip any 199.5.172.0 0.0.0.255 access-list 101 permit ip any 205.166.211.0 0.0.0.255 access-list 101 permit ip any 206.127.64.0 0.0.63.255 access-list 101 permit ip any 206.58.180.0 0.0.1.255 access-list 101 permit ip any 206.58.182.0 0.0.0.255 no access-list 102 access-list 102 permit ip 204.94.230.0 0.0.1.255 any access-list 102 permit ip 204.182.240.0 0.0.15.255 any access-list 102 permit ip 199.5.171.0 0.0.0.255 any access-list 102 permit ip 199.5.172.0 0.0.0.255 any access-list 102 permit ip 205.166.211.0 0.0.0.255 any access-list 102 permit ip 206.127.64.0 0.0.63.255 any access-list 102 permit ip 206.58.180.0 0.0.1.255 any access-list 102 permit ip 206.58.182.0 0.0.0.255 any int s 0 ip access-group 101 in ip access-group 102 out exit -- End of Included File --- - - - - - - - - - - - - - - - - -
Current thread:
- Re: Ping flooding (fwd), (continued)
- Re: Ping flooding (fwd) Curtis Villamizar (Jul 09)
- Re: Ping flooding (fwd) Curtis Villamizar (Jul 09)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 09)
- Re: Ping flooding (fwd) David R. Conrad (Jul 08)
- Re: Ping flooding (fwd) Perry E. Metzger (Jul 08)
- Re: Ping flooding (fwd) Jordy (Jul 09)
- Message not available
- Re: Ping flooding (fwd) Dick St.Peters (Jul 09)
- Re: Ping flooding (fwd) Todd Graham Lewis (Jul 09)
- Re: Ping flooding (fwd) Dick St.Peters (Jul 09)
- Re: Ping flooding (fwd) Justin W. Newton (Jul 09)
- Re: Ping flooding (fwd) George Herbert (Jul 09)
- Re: Ping flooding (fwd) Forrest W. Christian (Jul 09)
- Re: Ping flooding (fwd) Justin W. Newton (Jul 09)
- Re: Ping flooding (fwd) Doug Stanfield (Jul 09)
- Re: Ping flooding (fwd) Curtis Villamizar (Jul 09)
- Re: Ping flooding (fwd) Vadim Antonov (Jul 09)
- Re: Ping flooding Jerry Anderson (Jul 09)
- Re: Ping flooding (fwd) Sean Doran (Jul 09)
- Re: Ping flooding (fwd) Dorian Kim (Jul 10)
- Re: Ping flooding (fwd) Sean Doran (Jul 09)
- Re: Ping flooding (fwd) Sean Doran (Jul 09)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 09)