nanog mailing list archives

Re: Filtering Source Addresses on gw-internet

From: Greg Ketell <gketell () cisco com>
Date: Wed, 13 Aug 1997 22:15:34 -0700

Sorry for the delay.  I am in all-day meetings through the end
of the week.

If Null0 were a standard interface I would say "yes, definitely
a better method".  But since it isn't, I am not sure.  I will
try to find out and post tomorrow night (unless someone else
from cisco (or formerly from cisco) pops up the answer first.

GK

Date: Wed, 13 Aug 1997 06:46:58 -0400 (EDT)
From: "C. Jon Larsen" <jlarsen () ajtech com>
To: Greg Ketell <gketell () cisco com>
cc: nanog () merit edu
Subject: Re: Filtering Source Addresses on gw-internet

Much thanks to everyone for their input. Greg, since you have

"Cisco" in your

email address, any comment on whether sending packets to a null

interface is a

quicker / more efficient way blocking unwanted traffic ?

gw-internet is a

little old 68030, with 1MB RAM.

-----BEGIN PGP SIGNED MESSAGE-----

At 03:05 PM 8/12/97 -0400, C. Jon Larsen wrote:

gw-internet#show access-lists 120
Extended IP access list 120
   deny   ip any 10.0.0.0 0.255.255.255 log
   deny   ip any 172.16.0.0 0.0.255.255 log
   deny   ip any 172.17.0.0 0.0.255.255 log
   deny   ip any 192.168.0.0 0.0.255.255 log
   permit ip a.b.c.0 0.0.0.255 any (27429 matches)
   deny   ip any any log


Line 2 and 3 could be replaced by
deny ip any 172.16.0.0 0.15.255.255 log

which would block all 172.16.0.0-172.31.0.0 as per the RFC.

You might also want to block 127.0.0.0.

GK

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBM/DBxW384++etaQJAQGlwAgAoVjoB5EZCaYjzvmwWaVeO5zOPTipegDE

0TX2Xg2L5yIClAeiWD4f0T4E4jCH5BtSwoitlu9fcHlsPo4VRwOutQssIJHL+sUR

Ps1NEot6pwOu+slCwklLhqVwyouv0UHI0Fxal5aCM65X+WNH8+5HvE9g4uBQp8A6

o6HzM++69FKwg8pdQ82HNnjToVZxsqwH41HNSHC0HjLvJG+uZPBFlzLEdnvkNSRg

fikSERpnZAa+QzpTRjtTcK3XC2DEYGAi0wifn9mbyRav9xenzvNl+rUV5Fg/jbFS

jDFhiLFJc/7o3Y5+9HoA9keBEqeFMle86BGjX09C1FKLtPnVhTwSpQ==
=ZNYx
-----END PGP SIGNATURE-----



Linux.

+-------------------+---------------------+
| C. Jon Larsen     | jlarsen () ajtech com  |
| Systems Engineer  | Tel: 804.353.2800   |
| A&J Technologies  |                     |
|-------------------+---------------------|
|         http://www.ajtech.com           |
+-----------------------------------------+

Current thread:

Filtering Source Addresses on gw-internet C. Jon Larsen (Aug 12)
- Re: Filtering Source Addresses on gw-internet Greg Ketell (Aug 12)
  - Re: Filtering Source Addresses on gw-internet C. Jon Larsen (Aug 13)
- <Possible follow-ups>
- Re: Filtering Source Addresses on gw-internet C. Jon Larsen (Aug 12)
  - Re: Filtering Source Addresses on gw-internet Jon Lewis (Aug 12)
- Re: Filtering Source Addresses on gw-internet Greg Ketell (Aug 13)
- Re: Filtering Source Addresses on gw-internet Greg Ketell (Aug 14)
  - Re: Filtering Source Addresses on gw-internet Jon Lewis (Aug 15)
    - Re: Filtering Source Addresses on gw-internet Tony Li (Aug 15)