[149532] in North American Network Operators' Group
RE: Firewalls in service provider environments
daemon@ATHENA.MIT.EDU (George Bonser)
Tue Feb 7 17:34:59 2012
From: George Bonser <gbonser@seven.com>
To: Matthew Reath <matt@mattreath.com>
Date: Tue, 7 Feb 2012 22:34:07 +0000
In-Reply-To: <27254847074d9b716c9e9dfc1b892661.squirrel@mail.mattreath.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>=20
> Here is the template we typically use (or a variant of it):
>=20
> <-- snippet -->
> access-list 102 deny ip 10.0.0.0 0.255.255.255 any
> access-list 102 deny ip 172.16.0.0 0.15.255.255 any
> access-list 102 deny ip 192.168.0.0 0.0.255.255 any
> access-list 102 deny ip 0.0.0.0 0.255.255.255 any
> access-list 102 deny ip 127.0.0.0 0.255.255.255 any
> access-list 102 deny ip 224.0.0.0 15.255.255.255 any
> access-list 102 deny ip host 255.255.255.255 any
I typically also include traffic to/from:
TCP/UDP port 0
169.254.0.0/16
192.0.2.0/24
198.51.100.0/24
203.0.113.0/24
Been wondering if I should also block 198.18.0.0/15 as well.
