If anyone would care to describe if this makes sense, or if there's something else they'd like to add. I'm interested in reading it.
www.wildpackets.com has a good subnet calculator for free downloads
"IP Rules
This chapter focuses on those firewall rules that are related to the IP protocol. The examples of firewall rules are Linux ipchains. These examples don't show logging of the denied packets but logging is easily added with the -L option.
.
Source Address Rules
Packets arriving at the external interface can have their IP source addresses altered by an attacker. There are IP addresses that you would normally deny. These are:
Packets with the IP address of the firewall's external interface. The following statement would deal with this assuming that the external interface is 206.190.136.129.
ipchains -A input -i eth0 -s 206.190.136.129 -j DENY
Packets with an IP address of the inside network. This example assumes that the inside network address is 192.168.1.0:
ipchains -A input -i eth0 -s 192.168.1.0/24 -j DENY
Packets with private IP addresses. Private addresses are in the following address ranges: 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. Here's three rules for dealing with these three ranges:
ipchains -A input -i eth0 -s 10.0.0.0/8 -j DENY
ipchains -A input -i eth0 -s 172.16.0.0/12 -j DENY
ipchains -A input -i eth0 -s 192.168.0.0/16 -j DENY
Packets with CLASS D IP multicast addresses. Multicast addresses may be found in the destination address field but should never occur in the source address field.
ipchains -A input -i eth0 -s 224.0.0.0/4 -j DENY
Packets with Class E addresses. The address range 240.0.0.0 to 247.255.255.255 was set aside for experimentation and possible future use. You should deny them unless you know they're required.
ipchains -A input -i eth0 -s 240.0.0.0/5 -j DENY
Packets with the loopback IP address. This is any address in the range of 127.0.0.0 to 127.255.255.255.
ipchains -A input -i eth0 -s 127.0.0.0/8 -j DENY
Packets with a source address of 0.0.0.0.
ipchains -A input -i eth0 -s 0.0.0.0/32 -j DENY
Packets with addresses that IANA.ORG has not yet issued or are reserved. These addresses change from time to time. Check periodically @
www.iana.org"
I must also ask if someone would please care to share a list where to find these not yet issued or reserved IANA.org addresses?