[7461] in North American Network Operators' Group
Re: RFC1918 conformance
daemon@ATHENA.MIT.EDU (Andrew Partan)
Mon Feb 10 19:36:19 1997
From: Andrew Partan <asp@partan.com>
To: prt@Teleglobe.CA
Date: Mon, 10 Feb 1997 19:15:03 -0500 (EST)
Cc: amilutin@infocom.kiev.ua, bgp4-adm@sprint.net, hostmaster@ripe.net,
nanog@merit.edu, rr-admin@Teleglobe.net
In-Reply-To: <Pine.HPP.3.94.970210163818.18429D-100000@alpha.Teleglobe.CA> from "Pierre Thibaudeau" at Feb 10, 97 05:10:33 pm
My standard in & out route filters are attached.
Everyone should use something like this.
--asp@partan.com (Andrew Partan)
! This list is used to block bogon routes to/from peers.
! Deny martian routes
no access-list 180
! 0/anything
access-list 180 deny ip host 0.0.0.0 any
! 127/8 & longer
access-list 180 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
! The private use nets
access-list 180 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 180 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
access-list 180 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
! Test net
access-list 180 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
! 1st and last classical B and C nets (guard nets).
access-list 180 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 180 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 180 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 180 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
! All multicast routes - the router now does this itself, but it didn't
! at one point.....
access-list 180 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
! Block all routes with a mask longer than /24,
access-list 180 deny ip any 255.255.255.128 0.0.0.127
access-list 180 permit ip any any
