Best practice ACLs for a internet facing border router? - Test - lists.nanog.org

newer
RE: ISP's Contact List

Best practice ACLs for a internet facing border router?

older
2u colo @ 1 Wilshire

Drew Weaver

13 Jun 2005 13 Jun '05

10:27 a.m.

I'm just curious if anyone has ever published a list of what is an agreed upon best practice list of ACLs for an internet facing border router. I'm talking about things like bogons, private Ip addresses, et cetera. If anyone is aware of anything like this I'd like to see it. Thanks, -Drew

Reply

Sign in to reply online Use email software

Show replies by date

Kim Onnel

13 Jun 13 Jun

10:25 a.m.

block bogons block your ips from outside block rfc 1918 (martians) block common worms ports On 6/13/05, Drew Weaver <drew.weaver@thenap.com> wrote:

I'm just curious if anyone has ever published a list of what is an agreed upon best practice list of ACLs for an internet facing border router. I'm talking about things like bogons, private Ip addresses, et cetera. If anyone is aware of anything like this I'd like to see it.

Thanks, -Drew

Reply

Sign in to reply online Use email software

Robert Brockway

10:35 a.m.

On Mon, 13 Jun 2005, Drew Weaver wrote:

I'm just curious if anyone has ever published a list of what is an agreed upon best practice list of ACLs for an internet facing border router. I'm talking about things like bogons, private Ip addresses, et cetera. If anyone is aware of anything like this I'd like to see it.

I suggest reviewing RFC3330. The bogons needs to be kept up to date (some interesting discussions on SAGE-AU of organisations not doing that) but for a list of subnets reserved for different purposes RFC3330 is invaluable. Rob -- Robert Brockway B.Sc. Senior Technical Consultant, OpenTrend Solutions Ltd. Ph: +1-416-669-3073 Email: rbrockway@opentrend.net http://www.opentrend.net OpenTrend Solutions: Reliable, secure solutions to real world problems. Contributing Member of Software in the Public Interest http://www.spi-inc.org

Reply

Sign in to reply online Use email software

matthew zeier

2:22 p.m.

Drew Weaver wrote:

I'm just curious if anyone has ever published a list of what is an agreed upon best practice list of ACLs for an internet facing border router. I'm talking about things like bogons, private Ip addresses, et cetera. If anyone is aware of anything like this I'd like to see it.

Depending on your flavor of router, you might need to take multiple approaches. On my 12000s, I'm only using RACLs (beyond prefix filtering) and do more specific ACLs closer down to the "core". -- matthew zeier - "Curiosity is a willing, a proud, an eager confession of ignorance." - Leonard Rubenstein

Reply

Sign in to reply online Use email software

7152

Age (days ago)

7152

Last active (days ago)

Download

3 comments

4 participants

tags

participants (4)

Drew Weaver
Kim Onnel
matthew zeier
Robert Brockway