nanog mailing list archives
Re: NSPs filter?
From: Stephen Stuart <stuart () tech org>
Date: Thu, 08 Aug 2002 18:45:17 -0700
One thing that sometimes comes up is that people do number links using RFC1918 address space which occasionally results in an ICMP 'fragmentation needed but DF bit set' packet with an RFC1918 source address. Filtering out this packet could result in TCP breaking.
That can be accomodated; behold, all the joy of PMTUD, with none of
the other crap from designated special-use address space:
firewall {
family inet {
filter external-filter {
term allow-icmp-unreach {
from {
protocol icmp;
icmp-type unreachable;
icmp-code fragmentation-needed;
}
then {
count allow-icmp-need-frag;
accept;
}
}
term allow-icmp-timxceed {
from {
protocol icmp;
icmp-type time-exceeded;
icmp-code [ ttl-eq-zero-during-transit ttl-eq-zero-during-reassembly ];
}
then {
count allow-icmp-timxceed;
accept;
}
}
term deny-rfc1918 {
from {
source-address {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
}
}
then {
count deny-rfc1918;
discard;
}
}
term deny-test {
from {
source-address {
192.0.2.0/24;
}
}
then {
count deny-test-net;
discard;
}
}
term deny-autoconfig {
from {
source-address {
169.254.0.0/16;
}
}
then {
count deny-autoconfig;
discard;
}
}
term LAST {
then accept;
}
}
}
}
Application is left as an exercise to the reader.
Stephen
Current thread:
- Re: BBC-2 Story on Sept.11, (continued)
- Re: BBC-2 Story on Sept.11 cw (Aug 06)
- Re: BBC-2 Story on Sept.11 Rob Pickering (Aug 06)
- Re: NSPs filter? Chris Woodfield (Aug 05)
- Re: NSPs filter? Christopher L. Morrow (Aug 04)
- Re: NSPs filter? sal_sabella (Aug 04)
- Re: NSPs filter? Stephen Stuart (Aug 04)
- Re: Re: NSPs filter? sal_sabella (Aug 07)
- Re: my sig jnull (Aug 07)
- Re: NSPs filter? Stephen Stuart (Aug 07)
- Re: NSPs filter? David Schwartz (Aug 08)
- Re: NSPs filter? Stephen Stuart (Aug 08)