Ingess and Egress Filtering to Protect Against IP Spoofing

For IP spoofing, all you really need to do is put an 'in' filter for all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,

172.16.0.0/20, etc) as well as any external ranges that you do actually own. This prevents folks out on the internet from effectively spoofing their IP to make your router think that they are part of your internal network (although with a good firewall, this wouldn't be a problem). Just put it as an 'in' filter on the external interface (towards the internet).

Thanks for your reply. Could you show me what this in filter would look like?

I am required to do this in both directions because of an audit finding. I must do it for compliance.

access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 224.0.0.0 7.255.255.255 any access-list 101 deny ip X.X.X.X X.X.X.X any access-list 101 permit ip any any

Use the x.x.x.x one to add any public networks that you may own. If not, just delete it before pasting in.

May also want to add deny's for ranges for broadcast (255.0.0.0

0.255.255.255), loopbacks (127.0.0.1 255.255.255.255), default spoof (0.0.0.0 255.255.255.255), and any other ones you can think of (224.0.0.0 7.255.255.255). Hope this helps.

Even better: