[Snort-users] Loopback traffic

Matt Kettler mkettler at ...4108...
Mon Apr 26 07:16:03 EDT 2004


At 05:16 PM 4/23/2004, Chuck Holley wrote:
>and we are going to investigate
>adding something for 127.0.0.1 into our routers access list.  Has anyone
>ever done that?

Yes.. it's part of my standard rules. I block many of the IANA reserved 
blocks that will obviously never be allocated at my border.

Some simple Cisco IOS ACLs I use (some descriptions lifted from RFC 3330):


!one backdoor uses 255.255.255.255 as source IP. the whole
!240/4 is reserved for limited broadcast, but I'm only only
!blocking the single host full broadcast here
access-list 100 deny   ip host 255.255.255.255 any log

!  0.0.0.0/8 - Addresses in this block refer to source hosts on "this"
!   network.  Address 0.0.0.0/32 may be used as a source address for this
!   host on this network; other addresses within 0.0.0.0/8 may be used to
!   refer to specified hosts on this network [RFC1700, page 4].
access-list 100 deny   ip 0.0.0.0 0.255.255.255 any log

!  127.0.0.0/8 - This block is assigned for use as the Internet host
!   loopback address.
!   This is ordinarily implemented using only 127.0.0.1/32 for loopback,
!   but no addresses within this block should ever appear on any network
!   anywhere [RFC1700, page 5].

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny   ip any 127.0.0.0 0.255.255.255 log








More information about the Snort-users mailing list