Skip to content

RFC 3330 Traffic Filtering From The Internet

The following post will explain one of the recommended method of filtering unwanted traffic from the internet to the internal network.

Most administrators filter RFC-1918 traversing from the internet to internal networks, while they are allowing a list of bogons prefixes which is defined in RFC-3330. These addresses are _not_ publically assigned, therefore should not see them as source IP destined to your internal network. Furthermore, it is a best practice from a security prospective to filter these ranges in case you are targeted with a spoofing attack.

As a reference to this post, please check RFC-3330 which contains all the prefixes in question.

The following configuration example shows RFC-3330 filtering on a Cisco ASA Firewall.

CREATE ACCESSLIST, where the ACL name INTERNET define OUTSIDE interface.

comments powered by Disqus