nanog mailing list archives
Re: blocking unallocated subnets
From: Rob Thomas <robt () cymru com>
Date: Fri, 2 Dec 2005 14:14:11 -0600 (CST)
Hi, Randy. ] > Another option is to automate the updates and leave the hard work ] > to us! ] ] the op was discussing port-specific filtering for dns only. could ] you explain how i can automake my /etc/ipfw.rules leaving the hard ] work to you? e.g. There are often subtle relationships when it comes to filtering. While the DNS name servers may have no such filters, they are unreachable due to filters on upstream routers. So we try to provide as wide a set of filters as possible. ] add deny udp from 203.49.118.0/24 to any 53 Now that is a set of filters we don't make available. I'll see if I can create another page for IPFW filters. I should do the same for IPF as well. You could Zebra peer with the Bogon route-servers and accept these prefixes as null routes. I've used null routes on servers frequently, but I've not tried the combination before. Take it with a grain of salt. :) Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Current thread:
- blocking unallocated subnets John S. Bucy (Dec 02)
- Re: blocking unallocated subnets Jon Lewis (Dec 02)
- Re: blocking unallocated subnets Rob Thomas (Dec 02)
- Re: blocking unallocated subnets Randy Bush (Dec 02)
- Re: blocking unallocated subnets Rob Thomas (Dec 02)
- Re: blocking unallocated subnets Noel (Dec 02)
- Message not available
- Re: [NANOG] blocking unallocated subnets Randy Bush (Dec 03)
- Re: blocking unallocated subnets Randy Bush (Dec 02)