On Sun, 16 Jul 2000, Bohdan Tashchuk wrote:
The relevant snippet of my rules on my ingress filter is:
1) ... block bad things such as unused or spoofed addrs ... 2) allow icmp from any to any icmptypes 0,3,4,11,12 3) deny ip from 10.0.0.0/8 to any 4) deny ip from 172.16.0.0/12 to any 5) deny ip from 192.168.0.0/16 to any 6) allow tcp from any to any 1024-65535 established 7) ... some other rules ... 8) deny everything else by default
Line #2 allows relatively benign incoming ICMP, such as "fragmentation needed", but hopefully blocks the more problematic stuff.
<SNIP>
If you take it upon yourself to "filter all RFC1918 usage" from the outside world, you (and your customers) will suffer for it. Because it seems to be established practice out there.
The ruleset you use is great for a leaf-node. The problem it can represent on the borders of a larger network is that a lot of nice script kiddies like to spoof their source as RFC1918 space and since ICMP is 8 times out of 10 their payload, using such on the edges exposes the core (and potentially some poor customer of yours on a DS1, etc) to whatever level of hate-and-discontent you're capable of accepting on the borders. --- John Fraizer EnterZone, Inc