Firewalls in service provider environments
George Bonser
gbonser at seven.com
Tue Feb 7 22:34:07 UTC 2012
>
> Here is the template we typically use (or a variant of it):
>
> <-- snippet -->
> access-list 102 deny ip 10.0.0.0 0.255.255.255 any
> access-list 102 deny ip 172.16.0.0 0.15.255.255 any
> access-list 102 deny ip 192.168.0.0 0.0.255.255 any
> access-list 102 deny ip 0.0.0.0 0.255.255.255 any
> access-list 102 deny ip 127.0.0.0 0.255.255.255 any
> access-list 102 deny ip 224.0.0.0 15.255.255.255 any
> access-list 102 deny ip host 255.255.255.255 any
I typically also include traffic to/from:
TCP/UDP port 0
169.254.0.0/16
192.0.2.0/24
198.51.100.0/24
203.0.113.0/24
Been wondering if I should also block 198.18.0.0/15 as well.
More information about the NANOG
mailing list