In response to the many requests and comments on this list for all
NetworkOps to install filtering to prevent IP spoofing attacks . . .
On my internet router (gw-internet) I had set up filtering to attempt to
block all outgoing source addresses that do not have my network
(a.b.c.0/24) as their source some time ago.
Then, I had to modify the acl 120 to prevent
the default route for our internal network from leaking the occasional
packet with an RFC 1597 private destination address out to our ISP. (We
use Cisco 11.2 NAT to hide several medium sized networks behind a couple
af legit IPs. I took another spare router, and slapped 1.1.1.1/8 on a
secondary interface, and tried to ping out, and my acl seems to be O.k.
I'm just trying to be responsible for my users (some of whom are
@ unsupervised and remote sites via dialup & ISDN) and prevent any
other network ops from experiencing problems caused by ignorant /
malicious users that may find their way onto my network !
Any comments / suggestions / improvements / warning / something I have
missed ??? Thanks !
gw-internet#show access-lists 120
Extended IP access list 120
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.0.255.255 log
deny ip any 172.17.0.0 0.0.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
permit ip a.b.c.0 0.0.0.255 any (27429 matches)
deny ip any any log
gw-internet#
%SEC-6-IPACCESSLOGDP: list 120 denied icmp 1.1.1.1 -> 205.161.206.4 (8/0),
1 packet
ICMP: dst (205.161.206.4) administratively prohibited unreachable sent to
1.1.1.1
ICMP: dst (205.161.206.4) administratively prohibited unreachable sent to
1.1.1.1
ICMP: dst (205.161.206.4) administratively prohibited unreachable sent to
1.1.1.1
ICMP: dst (205.161.206.4) administratively prohibited unreachable sent to
1.1.1.1
ICMP: dst (205.161.206.4) administratively prohibited unreachable sent to
1.1.1.1