[Snort-users] Loopback traffic

Matt Kettler mkettler at ...4108...
Mon Apr 26 07:16:03 EDT 2004

At 05:16 PM 4/23/2004, Chuck Holley wrote:
>and we are going to investigate
>adding something for into our routers access list.  Has anyone
>ever done that?

Yes.. it's part of my standard rules. I block many of the IANA reserved 
blocks that will obviously never be allocated at my border.

Some simple Cisco IOS ACLs I use (some descriptions lifted from RFC 3330):

!one backdoor uses as source IP. the whole
!240/4 is reserved for limited broadcast, but I'm only only
!blocking the single host full broadcast here
access-list 100 deny   ip host any log

! - Addresses in this block refer to source hosts on "this"
!   network.  Address may be used as a source address for this
!   host on this network; other addresses within may be used to
!   refer to specified hosts on this network [RFC1700, page 4].
access-list 100 deny   ip any log

! - This block is assigned for use as the Internet host
!   loopback address.
!   This is ordinarily implemented using only for loopback,
!   but no addresses within this block should ever appear on any network
!   anywhere [RFC1700, page 5].

access-list 100 deny   ip any log
access-list 100 deny   ip any log

More information about the Snort-users mailing list