[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ingress filtering



On Mon, Sep 17, 2001 at 12:50:26AM +0100, Pedro Corte-Real wrote:
> I know they are:
> 
> 10.0.0.0        -   10.255.255.255

10.0.0.0:255.0.0.0 aka 10.0.0.0/8

> 172.16.0.0      -   172.31.255.255

172.16.0.0:255.240.0.0 aka 172.16.0.0/12

> 192.168.0.0     -   192.168.255.255

192.168.0.0:255.255.0.0 aka 192.168.0.0/16

In addition you should block the link-local net and perhaps all multicast
networks, if you are shure you do not use them.

127.0.0.0/8 Loopback
224.0.0.0/4 multicast
169.254.0.0/16 Microsoft Link Local

Of course much more important is to block packets with your local network as
source (maybe even destination if you do NAT). And to block outgoing spoofed
and leaking (i.e. with your internal sender address) outgoing pacets in the
egress filter.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!



Reply to: