On Fri, Oct 01, 1999 at 08:02:23AM -0400, rfuller@3x.com wrote:
deny ip 10.0.0.0 0.255.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log
These three clauses will block things like ICMP would-fragment and ttl-expired messages, in the event that some transitory bit of network between your customer and someone else's customer is numbered using RFC1918 address space (and causes such messages to be sent). I know of several networks which use RFC1918 addresses like this, in the belief that since the elements with these numbers never need to receive a packet from anybody outside the operator's network, there is no need for the numbers to be globally unique. In my opinion, such RFC1918 visibility in the public network is misguided, and half of the disruption to service caused by rules like those above could be considered just punishment. Trouble is, the other half of the disruption is for your customers, and you know who they're going to blame if they can't reach their favourite repository of huge flesh-tone jpegs. Operational content: does anybody actually block packets inbound from off-net, in the case where they are sourced from an RFC1918 address? If so, do your customers complain? Joe