≡ Menu

Filtering Unwanted Traffic From The Internet

The following post will explain one of the recommended method of filtering unwanted traffic from the internet to the internal network.

Most administrators filter RFC-1918 traversing from the internet to internal networks, while they are allowing a list of bogons prefixes which is defined in RFC-3330. These addresses are _not_ publically assigned, therefore should not see them as source IP destined to your internal network. Furthermore, it is a best practice from a security prospective to filter these ranges in case you are targeted with a spoofing attack.

As a reference to this post, please check RFC-3330 which contains all the prefixes in question.

The following configuration example shows RFC-3330 filtering on a Cisco ASA Firewall.

RFC3330 Object-group
object-group network RFC-3330
   network-object 0.0.0.0 255.0.0.0
   network-object 10.0.0.0 255.0.0.0
   network-object 14.0.0.0 255.0.0.0
   network-object 24.0.0.0 255.0.0.0
   network-object 39.0.0.0 255.0.0.0
   network-object 127.0.0.0 255.0.0.0
   network-object 128.0.0.0 255.255.0.0
   network-object 169.254.0.0 255.255.0.0
   network-object 172.16.0.0 255.240.0.0
   network-object 191.255.0.0 255.255.0.0
   network-object 192.0.0.0 255.255.255.0
   network-object 192.0.2.0 255.255.255.0
   network-object 192.88.99.0 255.255.255.0
   network-object 192.168.0.0 255.255.0.0
   network-object 198.18.0.0 255.254.0.0
   network-object 223.255.255.0 255.255.255.0
   network-object 224.0.0.0 240.0.0.0
   network-object 240.0.0.0 240.0.0.0

CREATE ACCESSLIST, where the ACL name INTERNET define OUTSIDE interface.

RFC3330 ACL
access-list INTERNET deny ip object-group RFC-3330 any

Comments on this entry are closed.

Next post:

Previous post:

Copyright © Nish Vamadevan 2002-2017. All Rights Reserved. Terms and Policies.