One method that attackers often use to obtain network information is to impersonate a trusted member of a network. The attacker cheats the source IP address in the packet and sends it to the internal network. An attacker would only need to change the source IP address in the packet to an address that belonged to an internal subnet.
1. Inbound
Rules |
Never allow packets of any source address that are internal host addresses or network addresses to enter a private network. |
RB (config) #access-list deny IP 127.0.0.0 0.255.255.255 any log
RB (config) #access-list deny IP 0.0.0.0 255.255.255.255 any log
RB (config) #access-list deny IP 10.0.0.0 0.255.255.255 any log
RB (config) #access-list deny IP 172.16.0.0 0.15.255.255 any log
RB (config) #access-list deny IP 192.168.0.0 0.0.255.255 any log
RB (config) #access-list deny IP 224.0.0.0 15.255.255.255 any log
RB (config) #access-list deny IP host 255.255.255.255 any log
RB (config) #access-list permit IP any
RB (config) #interface serial 2/0
RB (config-if) #ip Access-group in
The function of the back log is that it will be displayed on the console when the packet applies the policy denied.
This access control list rejects any packets from the following source address:
n any local host address (127.0.0.0/8);
N any reserved private address;
n Any multicast IP address (224.0.0.0/4).
2. Outbound
Rules |
You should never allow IP packets outbound that contain a valid address for a non-internal network. |
RB (config) #access-list permit IP 192.168.0.0 0.0.255.255 any
RB (config) #access-list deny IP any log
RB (config) #interface serial 2/0
RB (conofig-if) #ip Access-group
More Wonderful content: http://www.bianceng.cnhttp://www.bianceng.cn/Network/lyjs/