You are on page 1of 3

A while ago I put some time into researching which countries / regions these IP blocks are assigned to.

I'm assuming that these haven't changed much, but I'm not positive. I would assume that these wouldn't get reassigned too often. These commands are for my PIX. I'm not familiar with the ASA. The object-group is real convenient for grouping IP's that you want to treat as one. Here we setup the object groups. object-group network APNIC description Asia-Pacific allocation network-object 61.0.0.0 255.0.0.0 network-object 165.133.0.0 255.255.0.0 network-object 202.0.0.0 255.0.0.0 network-object 203.0.0.0 255.0.0.0 network-object 210.0.0.0 255.0.0.0 network-object 211.0.0.0 255.0.0.0 network-object 218.0.0.0 255.0.0.0 network-object 219.0.0.0 255.0.0.0 network-object 220.0.0.0 255.0.0.0 network-object 221.0.0.0 255.0.0.0 network-object 222.0.0.0 255.0.0.0 network-object 223.0.0.0 255.0.0.0 network-object 58.0.0.0 255.0.0.0 network-object 59.0.0.0 255.0.0.0 network-object 60.0.0.0 255.0.0.0 object-group network RIPE description Europe network-object 212.0.0.0 255.0.0.0 network-object 213.0.0.0 255.0.0.0 network-object 217.0.0.0 255.0.0.0 network-object 62.0.0.0 255.0.0.0 network-object 81.0.0.0 255.0.0.0 object-group network LACNIC description Latin America and Carribean network-object 200.0.0.0 255.0.0.0 object-group network ARIN network-object 64.141.0.0 255.255.128.0 network-object 204.209.208.0 255.255.248.0 object-group network SANSBLOCK description SANS Recommended block list network-object 69.50.160.0 255.255.224.0

I was wrong as I'll show you later on.0.0. The hit counts that follow are only for 41 days worth of traffic. (The following rules are the same as the ones above. look at some of the hit counts on these rules.168. We don't host anything onsite that anyone outside the US needs access too. access-list incoming source addresses access-list incoming access-list incoming access-list incoming remark -BR: Private address space may not appear as deny ip 172. I have no reason for any connections from there.0.0 255.0. only in a different view to show hit counts.) LACNIC access-list incoming line 17 deny tcp 200. APNIC is a different story.0. We offer no services that anyone would need to connect to other than smtp. the internet is a very bad place.240. Don't re-enter these.0 255.255.0.0 any neq smtp (hitcnt=499) .255.0 any And of course. When I first blocked the private address spaces from inbound traffic I figured I would not see any hits on these rules.16.0 255. Then why all the failed connections? Exactly.0. access-list access-list access-list access-list access-list access-list access-list access-list incoming incoming incoming incoming incoming incoming incoming incoming deny ip object-group SANSBLOCK any deny tcp object-group ARIN any neq smtp remark -BR: Block LACNIC all but smtp deny tcp object-group LACNIC any neq smtp remark -BR: Block RIPE all but smtp deny tcp object-group RIPE any neq smtp remark -BR: Block APNIC deny ip object-group APNIC any These are good to block too. access-list incoming remark -BR: No SNMP access-list incoming deny udp any any eq snmp And the fun part.0.0 255. Remember for LACNIC and RIPE we're blocking everything EXCEPT smtp.112.0.0 any deny ip 192.network-object 85.0. You can see most of these I block everything except smtp. unless you have a reason for accepting inbound snmp requests.0.0 Here we put the object-groups to use by denying them. including smtp. but we'd still like to receive their email.240. it's better to block it.0 any deny ip 10. Blocking smtp connections from APNIC drastically reduces spam.0 255.255.0.

0.0 any neq smtp line 19 deny tcp 62.0 255.0 255.0 255.0. Look at the hit counts! APNIC access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list incoming incoming incoming incoming incoming incoming incoming incoming incoming incoming incoming incoming incoming incoming incoming line line line line line line line line line line line line line line line 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip 61.0 255.0.0.0 255.0 any (hitcnt=19703) 211.0.0.0.0.0.0.0.0.0.0.0.0.0 any (hitcnt=58371) 60.0.0.0 any (hitcnt=19564) 220.0.0.0.0 255.0.0.0.0 any (hitcnt=66319) 223.0 255.0 255.0. we're not accepting any connections.0 any neq smtp And as far as APNIC goes.RIPE access-list incoming (hitcnt=784) access-list incoming (hitcnt=1115) access-list incoming (hitcnt=770) access-list incoming (hitcnt=391) access-list incoming (hitcnt=458) line 19 deny tcp 212.0 any (hitcnt=113) And snmp connections.0 any neq smtp line 19 deny tcp 81.0. access-list incoming line 27 deny udp any any eq snmp (hitcnt=12) .16.0 any (hitcnt=39459) 165.0 any (hitcnt=110) access-list incoming line 24 deny ip 10.0.0 any (hitcnt=36346) 203. Not too shabby.0.0 255.0.0 any neq smtp line 19 deny tcp 213.0 255.0.0.0.0.0.0.0 any (hitcnt=728) access-list incoming line 25 deny ip 192.0.0 any (hitcnt=42285) 219.0 any (hitcnt=30955) 222.0 any (hitcnt=27172) Here are the hit counts for the private address spaces.0.0 any (hitcnt=29488) 210.0 any (hitcnt=0) 202.0.0.0.0.0.0.0 any (hitcnt=24886) 221.0 255.0. access-list incoming line 23 deny ip 172.0.0.0.0.0 255.0 255.0.0.0.0 any (hitcnt=30886) 218.0.0.0 255.0.255.0.0.0 255.0 255.0.0.0.0.0 255.0.0.240.0.0 any neq smtp line 19 deny tcp 217.0.0.0.0.0 255.0 255.0.0 255.0 255.0.0.0.0.0.0 255.0.0.0.0.255.168.0 any (hitcnt=0) 58.0.0.0.0.0.0.0.0 any (hitcnt=95526) 59.133.0.0.0 255.