Ping flooding (fwd)

Forrest W. Christian forrestc at imach.com
Tue Jul 9 23:26:39 UTC 1996 

Personally, I use the configuration script listed below on my 
internet-facing interface.  This guarantees that all packets coming into 
my net are tagged with a source address OUTSIDE my net, and are bound for 
a host inside my net.  Likewise, outbound packets MUST have an origin 
inside my net.

This protects me from address spoofing from the rest of the net, and 
protects the rest of the net from my users.

I've got similar filters on all of my customer-facing interfaces.

-forrestc at imach.com

-- Start of Included File --
!                                                                    
! Configuration Script for IP Filtering on Internet-facing interface 
! 101 is inbound                                                     
! 102 is outbound                                                    
!                                                                    
int s 0                                                              
no ip access-group 101 in                                            
no ip access-group 102 out                                           
exit                                                                 
                                                                     
no access-list 101                                                   
                                                                     
access-list 101 deny   ip 204.94.230.0 0.0.1.255 any                 
access-list 101 deny   ip 204.182.240.0 0.0.15.255 any               
access-list 101 deny   ip 199.5.171.0 0.0.0.255 any                  
access-list 101 deny   ip 199.5.172.0 0.0.0.255 any                  
access-list 101 deny   ip 205.166.211.0 0.0.0.255 any                
access-list 101 deny   ip 206.127.64.0 0.0.63.255 any                
access-list 101 deny   ip 206.58.180.0 0.0.1.255 any                 
access-list 101 deny   ip 206.58.182.0 0.0.0.255 any                 
access-list 101 permit ip any 204.94.230.0 0.0.1.255                 
access-list 101 permit ip any 204.182.240.0 0.0.15.255
access-list 101 permit ip any 199.5.171.0 0.0.0.255   
access-list 101 permit ip any 199.5.172.0 0.0.0.255   
access-list 101 permit ip any 205.166.211.0 0.0.0.255 
access-list 101 permit ip any 206.127.64.0 0.0.63.255 
access-list 101 permit ip any 206.58.180.0 0.0.1.255  
access-list 101 permit ip any 206.58.182.0 0.0.0.255  
                                                      
no access-list 102                                    
access-list 102 permit ip 204.94.230.0 0.0.1.255 any  
access-list 102 permit ip 204.182.240.0 0.0.15.255 any
access-list 102 permit ip 199.5.171.0 0.0.0.255 any   
access-list 102 permit ip 199.5.172.0 0.0.0.255 any   
access-list 102 permit ip 205.166.211.0 0.0.0.255 any 
access-list 102 permit ip 206.127.64.0 0.0.63.255 any 
access-list 102 permit ip 206.58.180.0 0.0.1.255 any  
access-list 102 permit ip 206.58.182.0 0.0.0.255 any  
                                                      
int s 0                                               
ip access-group 101 in                                
ip access-group 102 out                               
exit                                                  
-- End of Included File ---

More information about the NANOG mailing list