Re: Ingress filtering

To: debian-firewall@lists.debian.org
Subject: Re: Ingress filtering
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Mon, 17 Sep 2001 02:22:55 +0200
Message-id: <20010917022255.B10430@lina.inka.de>
In-reply-to: <01091700502601.00385@planck>
References: <01091700502601.00385@planck>

On Mon, Sep 17, 2001 at 12:50:26AM +0100, Pedro Corte-Real wrote:
> I know they are:
> 
> 10.0.0.0        -   10.255.255.255

10.0.0.0:255.0.0.0 aka 10.0.0.0/8

> 172.16.0.0      -   172.31.255.255

172.16.0.0:255.240.0.0 aka 172.16.0.0/12

> 192.168.0.0     -   192.168.255.255

192.168.0.0:255.255.0.0 aka 192.168.0.0/16

In addition you should block the link-local net and perhaps all multicast
networks, if you are shure you do not use them.

127.0.0.0/8 Loopback
224.0.0.0/4 multicast
169.254.0.0/16 Microsoft Link Local

Of course much more important is to block packets with your local network as
source (maybe even destination if you do NAT). And to block outgoing spoofed
and leaking (i.e. with your internal sender address) outgoing pacets in the
egress filter.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to:

Follow-Ups:
- Re: Ingress filtering
  - From: Pedro Corte-Real <typo@netcabo.pt>

References:
- Ingress filtering
  - From: Pedro Corte-Real <typo@netcabo.pt>

Prev by Date: Re: Ingress filtering
Next by Date: Re: problems with firewall/port forwarding...
Previous by thread: Re: Ingress filtering
Next by thread: Re: Ingress filtering
Index(es):
- Date
- Thread