Border Router Question - Ingress Filtering

From: erisk (erisk_at_iinet.net.au)
Date: 11/12/03

  • Next message: Nick Warr: "Re: email gateway (transparent)"
    To: <security-basics@securityfocus.com>
    Date: Wed, 12 Nov 2003 15:11:59 +0800
    
    

    Border routers ACL In rule

    Acl in
    permit tcp any host ***.***.***.**6
    permit tcp any host ***.***.***.**5
    permit tcp any host ***.***.***.**4
    permit tcp any host ***.***.***.**3
    deny ip any any log

    The firewall then filters on a port level.

    My question is if they are denying all IPs other that what is specified in
    the list is it necessary to then add the standard spoofing deny rules (ie
    drop localhost, mulicast, RFC1918 addresses etc)? This will be taken care of
    the deny ip any any rule would it not?

    ---------------------------------------------------------------------------
    Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -
    http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    ----------------------------------------------------------------------------


  • Next message: Nick Warr: "Re: email gateway (transparent)"

    Relevant Pages

    • Re: Border Router Question - Ingress Filtering
      ... Generaly you should block RFC1918, localhost, etc... ... the list is it necessary to then add the standard spoofing deny rules ... PGP / XML GATEWAY APPLIANCE ...
      (Security-Basics)
    • RE: Border Router Question - Ingress Filtering
      ... you are permitting any host and any TCP connection ... access to the listed hosts. ... the list is it necessary to then add the standard spoofing deny rules (ie ... PGP / XML GATEWAY APPLIANCE ...
      (Security-Basics)
    • Re: PGP protection
      ... pgp trash troll delete ... >> Do you also know that it's impossible for you to deny having signed ... "feature" pgp offers. ... Anybody can sign their postings with your ...
      (comp.os.linux.misc)