Firewalls in service provider environments

Steve Bertrand steve.bertrand at gmail.com
Tue Feb 7 21:20:13 CST 2012


On 2012.02.07 20:47, Suresh Ramasubramanian wrote:
> On Wed, Feb 8, 2012 at 4:04 AM, George Bonser<gbonser at seven.com>  wrote:
>> I typically also include traffic to/from:
>>
>> TCP/UDP port 0
>> 169.254.0.0/16
>> 192.0.2.0/24
>> 198.51.100.0/24
>> 203.0.113.0/24
>>
>> Been wondering if I should also block 198.18.0.0/15 as well.
>
> suresh at frodo 17:46:08 :~$ nslookup 1.113.0.203.bogons.cymru.com
> Server:         127.0.0.1
> Address:        127.0.0.1#53
>
> Non-authoritative answer:
> Name:   1.113.0.203.bogons.cymru.com
> Address: 127.0.0.2
>
> Also available as a bgp feed, for years now.   Saves you updating your
> martian ACLs from time to time.

Amen. v4 and v6 lists are available via free BGP feed (via v4 and v6 
peering) from Cymru. Dynamic simplicity within community's finest standards.

Works wonders for those who have s/RTBH deployed.




More information about the NANOG mailing list