[Snort-users] Loopback traffic
mkettler at ...4108...
Mon Apr 26 07:16:03 EDT 2004
At 05:16 PM 4/23/2004, Chuck Holley wrote:
>and we are going to investigate
>adding something for 127.0.0.1 into our routers access list. Has anyone
>ever done that?
Yes.. it's part of my standard rules. I block many of the IANA reserved
blocks that will obviously never be allocated at my border.
Some simple Cisco IOS ACLs I use (some descriptions lifted from RFC 3330):
!one backdoor uses 255.255.255.255 as source IP. the whole
!240/4 is reserved for limited broadcast, but I'm only only
!blocking the single host full broadcast here
access-list 100 deny ip host 255.255.255.255 any log
! 0.0.0.0/8 - Addresses in this block refer to source hosts on "this"
! network. Address 0.0.0.0/32 may be used as a source address for this
! host on this network; other addresses within 0.0.0.0/8 may be used to
! refer to specified hosts on this network [RFC1700, page 4].
access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
! 127.0.0.0/8 - This block is assigned for use as the Internet host
! loopback address.
! This is ordinarily implemented using only 127.0.0.1/32 for loopback,
! but no addresses within this block should ever appear on any network
! anywhere [RFC1700, page 5].
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip any 127.0.0.0 0.255.255.255 log
More information about the Snort-users