Ping flooding (fwd)
Forrest W. Christian
forrestc at imach.com
Tue Jul 9 23:26:39 UTC 1996
Personally, I use the configuration script listed below on my
internet-facing interface. This guarantees that all packets coming into
my net are tagged with a source address OUTSIDE my net, and are bound for
a host inside my net. Likewise, outbound packets MUST have an origin
inside my net.
This protects me from address spoofing from the rest of the net, and
protects the rest of the net from my users.
I've got similar filters on all of my customer-facing interfaces.
-forrestc at imach.com
-- Start of Included File --
!
! Configuration Script for IP Filtering on Internet-facing interface
! 101 is inbound
! 102 is outbound
!
int s 0
no ip access-group 101 in
no ip access-group 102 out
exit
no access-list 101
access-list 101 deny ip 204.94.230.0 0.0.1.255 any
access-list 101 deny ip 204.182.240.0 0.0.15.255 any
access-list 101 deny ip 199.5.171.0 0.0.0.255 any
access-list 101 deny ip 199.5.172.0 0.0.0.255 any
access-list 101 deny ip 205.166.211.0 0.0.0.255 any
access-list 101 deny ip 206.127.64.0 0.0.63.255 any
access-list 101 deny ip 206.58.180.0 0.0.1.255 any
access-list 101 deny ip 206.58.182.0 0.0.0.255 any
access-list 101 permit ip any 204.94.230.0 0.0.1.255
access-list 101 permit ip any 204.182.240.0 0.0.15.255
access-list 101 permit ip any 199.5.171.0 0.0.0.255
access-list 101 permit ip any 199.5.172.0 0.0.0.255
access-list 101 permit ip any 205.166.211.0 0.0.0.255
access-list 101 permit ip any 206.127.64.0 0.0.63.255
access-list 101 permit ip any 206.58.180.0 0.0.1.255
access-list 101 permit ip any 206.58.182.0 0.0.0.255
no access-list 102
access-list 102 permit ip 204.94.230.0 0.0.1.255 any
access-list 102 permit ip 204.182.240.0 0.0.15.255 any
access-list 102 permit ip 199.5.171.0 0.0.0.255 any
access-list 102 permit ip 199.5.172.0 0.0.0.255 any
access-list 102 permit ip 205.166.211.0 0.0.0.255 any
access-list 102 permit ip 206.127.64.0 0.0.63.255 any
access-list 102 permit ip 206.58.180.0 0.0.1.255 any
access-list 102 permit ip 206.58.182.0 0.0.0.255 any
int s 0
ip access-group 101 in
ip access-group 102 out
exit
-- End of Included File ---
More information about the NANOG
mailing list