Firewalls in service provider environments

George Bonser gbonser at seven.com
Tue Feb 7 16:34:07 CST 2012


> 
> Here is the template we typically use (or a variant of it):
> 
> <-- snippet -->
> access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
> access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
> access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
> access-list 102 deny   ip 0.0.0.0 0.255.255.255 any
> access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
> access-list 102 deny   ip 224.0.0.0 15.255.255.255 any
> access-list 102 deny   ip host 255.255.255.255 any

I typically also include traffic to/from:

TCP/UDP port 0
169.254.0.0/16
192.0.2.0/24
198.51.100.0/24
203.0.113.0/24

Been wondering if I should also block 198.18.0.0/15 as well.






More information about the NANOG mailing list