Filtering Source Addresses on gw-internet
C. Jon Larsen
jlarsen at ajtech.com
Wed Aug 13 10:46:58 UTC 1997
Much thanks to everyone for their input. Greg, since you have "Cisco" in your
email address, any comment on whether sending packets to a null interface is a
quicker / more efficient way blocking unwanted traffic ? gw-internet is a
little old 68030, with 1MB RAM.
> -----BEGIN PGP SIGNED MESSAGE-----
>
> At 03:05 PM 8/12/97 -0400, C. Jon Larsen wrote:
> >gw-internet#show access-lists 120
> >Extended IP access list 120
> > deny ip any 10.0.0.0 0.255.255.255 log
> > deny ip any 172.16.0.0 0.0.255.255 log
> > deny ip any 172.17.0.0 0.0.255.255 log
> > deny ip any 192.168.0.0 0.0.255.255 log
> > permit ip a.b.c.0 0.0.0.255 any (27429 matches)
> > deny ip any any log
>
> Line 2 and 3 could be replaced by
> deny ip any 172.16.0.0 0.15.255.255 log
>
> which would block all 172.16.0.0-172.31.0.0 as per the RFC.
>
> You might also want to block 127.0.0.0.
>
> GK
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQEVAwUBM/DBxW384++etaQJAQGlwAgAoVjoB5EZCaYjzvmwWaVeO5zOPTipegDE
> 0TX2Xg2L5yIClAeiWD4f0T4E4jCH5BtSwoitlu9fcHlsPo4VRwOutQssIJHL+sUR
> Ps1NEot6pwOu+slCwklLhqVwyouv0UHI0Fxal5aCM65X+WNH8+5HvE9g4uBQp8A6
> o6HzM++69FKwg8pdQ82HNnjToVZxsqwH41HNSHC0HjLvJG+uZPBFlzLEdnvkNSRg
> fikSERpnZAa+QzpTRjtTcK3XC2DEYGAi0wifn9mbyRav9xenzvNl+rUV5Fg/jbFS
> jDFhiLFJc/7o3Y5+9HoA9keBEqeFMle86BGjX09C1FKLtPnVhTwSpQ==
> =ZNYx
> -----END PGP SIGNATURE-----
>
>
Linux.
+-------------------+---------------------+
| C. Jon Larsen | jlarsen at ajtech.com |
| Systems Engineer | Tel: 804.353.2800 |
| A&J Technologies | |
|-------------------+---------------------|
| http://www.ajtech.com |
+-----------------------------------------+
More information about the NANOG
mailing list