[149542] in North American Network Operators' Group
Re: Firewalls in service provider environments
daemon@ATHENA.MIT.EDU (Steve Bertrand)
Tue Feb 7 22:21:09 2012
Date: Tue, 07 Feb 2012 22:20:13 -0500
From: Steve Bertrand <steve.bertrand@gmail.com>
To: nanog@nanog.org
In-Reply-To: <CAArzuou_yr8aCtxQzg50CnHh7hy2zbPkbpXKjDsYiZxtLWvK_w@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2012.02.07 20:47, Suresh Ramasubramanian wrote:
> On Wed, Feb 8, 2012 at 4:04 AM, George Bonser<gbonser@seven.com> wrote:
>> I typically also include traffic to/from:
>>
>> TCP/UDP port 0
>> 169.254.0.0/16
>> 192.0.2.0/24
>> 198.51.100.0/24
>> 203.0.113.0/24
>>
>> Been wondering if I should also block 198.18.0.0/15 as well.
>
> suresh@frodo 17:46:08 :~$ nslookup 1.113.0.203.bogons.cymru.com
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> Name: 1.113.0.203.bogons.cymru.com
> Address: 127.0.0.2
>
> Also available as a bgp feed, for years now. Saves you updating your
> martian ACLs from time to time.
Amen. v4 and v6 lists are available via free BGP feed (via v4 and v6
peering) from Cymru. Dynamic simplicity within community's finest standards.
Works wonders for those who have s/RTBH deployed.
