National Institute of Standards and Technology (NIST)'s Guidelines on Firewalls and Firewall Policy. The following traffic types should always be blocked:
Inbound traffic from a non-authenticated source system with a destination address of the firewall itself
Inbound traffic with a source address indicating that the packet originated on a network behind the firewall
Inbound traffic containing ICMP
Inbound or outbound traffic from a system using a source address that falls within the private address ranges show n in RFC 1918
Inbound traffic from a non-authenticated source system containing SNMP
Inbound traffic containing IP Source Routing information
Inbound or outbound traffic containing a source or destination address of 127.0.0.1
Inbound or outbound traffic containing a source or destination address of 0.0.0.0
Inbound or outbound traffic containing a directed broadcast address
A good "base" ACL for use on Internet facing routers and firewall devices. Assuming my PubNet range is a block of 32 66.238.29.0 - 31. See below ! no fragments access-list 100 deny tcp any 66.238.29.0 0.0.0.31 log fragments access-list 100 deny udp any 66.238.29.0 0.0.0.31 log fragments access-list 100 deny icmp any 66.238.29.0 0.0.0.31 log fragments ! no snmp inbound from the Internet access-list 100 deny udp any any eq snmp access-list 100 deny udp any any eq snmptrap ! RFC 2827 Ingress, RFC 3804 Martian Filtering and RFC 1918 private Address Filtering access-list 100 deny ip 127.0.0.0 0.255.255.255 any log access-list 100 deny ip 255.0.0.0 0.255.255.255 any log access-list 100 deny ip 224.0.0.0 31.255.255.255 any log access-list 100 deny ip host 0.0.0.0 any log access-list 100 deny ip 10.0.0.0 0.255.255.255 any log access-list 100 deny ip 172.16.0.0 0.15.255.255 any log access-list 100 deny ip 192.0.2.0 0.0.0.255 any log access-list 100 deny ip 192.168.0.0 0.0.255.255 any log access-list 100 deny ip 14.0.0.0 0.255.255.255 any log access-list 100 deny ip 169.254.0.0 0.0.255.255 any log access-list 100 deny ip 198.18.0.0 0.0.255.255 any log access-list 100 deny ip 66.238.29.0 0.0.0.31 any log ! no routing protocols inbound (unless needed) access-list 100 deny tcp any any eq bgp log access-list 100 deny tcp any eq bgp any log access-list 100 deny ipinip any any access-list 100 deny gre any any access-list 100 deny pim any any access-list 100 deny 90 any any access-list 100 deny ospf any any log access-list 100 deny eigrp any any log access-list 100 deny udp any eq rip any log access-list 100 deny udp any any eq rip log access-list 100 permit now begins your permits...if any Notes: 192.0.2.0 0.0.0.255 any log (range known to be used exploit default pw on WLA devices) 4.0.0.0 0.255.255.255 any log (Known as Net-14, a Public use network, possibly used by attackers) 69.254.0.0 0.0.255.255 any log (RFC2026 Link Local) 198.18.0.0 0.0.255.255 any log (block for benchmark tests of network interconnect devices, RFC2544)
