The following post will explain one of the recommended method of filtering unwanted traffic from the internet to the internal network.
Most administrators filter RFC-1918 traversing from the internet to internal networks, while they are allowing a list of bogons prefixes which is defined in RFC-3330. These addresses are _not_ publicly assigned, therefore should not see them as source IP destined to your internal network. Furthermore, it is a best practice from a security prospective to filter these ranges in case you are targeted with a spoofing attack.
As a reference to this post, please check RFC-3330 which contains all the prefixes in question.
The following configuration example shows RFC-3330 filtering on a Cisco ASA Firewall.
RFC3330 Object-group
object-group network RFC-3330
network-object 0.0.0.0 255.0.0.0
network-object 10.0.0.0 255.0.0.0
network-object 14.0.0.0 255.0.0.0
network-object 24.0.0.0 255.0.0.0
network-object 39.0.0.0 255.0.0.0
network-object 127.0.0.0 255.0.0.0
network-object 128.0.0.0 255.255.0.0
network-object 169.254.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
network-object 191.255.0.0 255.255.0.0
network-object 192.0.0.0 255.255.255.0
network-object 192.0.2.0 255.255.255.0
network-object 192.88.99.0 255.255.255.0
network-object 192.168.0.0 255.255.0.0
network-object 198.18.0.0 255.254.0.0
network-object 223.255.255.0 255.255.255.0
network-object 224.0.0.0 240.0.0.0
network-object 240.0.0.0 240.0.0.0
CREATE ACCESSLIST, where the ACL name INTERNET define OUTSIDE interface.
RFC3330 ACL
<pre class="code">access-list INTERNET deny ip object-group RFC-3330 any