In response to the many requests and comments on this list for all NetworkOps to install filtering to prevent IP spoofing attacks . . . On my internet router (gw-internet) I had set up filtering to attempt to block all outgoing source addresses that do not have my network (a.b.c.0/24) as their source some time ago. Then, I had to modify the acl 120 to prevent the default route for our internal network from leaking the occasional packet with an RFC 1597 private destination address out to our ISP. (We use Cisco 11.2 NAT to hide several medium sized networks behind a couple af legit IPs. I took another spare router, and slapped 1.1.1.1/8 on a secondary interface, and tried to ping out, and my acl seems to be O.k. I'm just trying to be responsible for my users (some of whom are @ unsupervised and remote sites via dialup & ISDN) and prevent any other network ops from experiencing problems caused by ignorant / malicious users that may find their way onto my network ! Any comments / suggestions / improvements / warning / something I have missed ??? Thanks ! gw-internet#show access-lists 120 Extended IP access list 120 deny ip any 10.0.0.0 0.255.255.255 log deny ip any 172.16.0.0 0.0.255.255 log deny ip any 172.17.0.0 0.0.255.255 log deny ip any 192.168.0.0 0.0.255.255 log permit ip a.b.c.0 0.0.0.255 any (27429 matches) deny ip any any log gw-internet# %SEC-6-IPACCESSLOGDP: list 120 denied icmp 1.1.1.1 -> 205.161.206.4 (8/0), 1 packet ICMP: dst (205.161.206.4) administratively prohibited unreachable sent to 1.1.1.1 ICMP: dst (205.161.206.4) administratively prohibited unreachable sent to 1.1.1.1 ICMP: dst (205.161.206.4) administratively prohibited unreachable sent to 1.1.1.1 ICMP: dst (205.161.206.4) administratively prohibited unreachable sent to 1.1.1.1 ICMP: dst (205.161.206.4) administratively prohibited unreachable sent to 1.1.1.1