Based on what we have already covered, we can articulate some best practices for ingress filtering. We want the default (block all traffic) to stand. We need to allow access to ports and nodes for certain services that we are providing. For example, in our example network, we are operating an FTP server. This requires leaving port 21 open on the FTP server's network. In addition, we want to use ingress filtering as a means of preventing denial of service attacks. The best practices for ingress filtering are described in the following Internet Engineering Task Force (IETF) documents:

• Network ingress filtering: Defeating DoS attacks which employ IP source address spoofing (https://tools.ietf.org/html/bcp38)
• Ingress filtering for multihomed networks: Discusses different strategies for ensuring that incoming packets are from the networks from which they claim to originate, both in general and from a multihomed (meaning the network has multiple points of access to the internet) perspective (https://tools.ietf.org/html/bcp84)

The aforementioned documents are not particularly long, and reading them in their entirety can be instructive. However, the most pertinent findings of these documents are as follows:

• Traffic which employs IP spoofing should be blocked by firewalls. Ingress filters should thus be configured to only allow traffic from valid source addresses.
• Automatic filtering should be used on remote access servers. If, for example, a user connects to a remote access server through an ISP, the only valid IP address for traffic from that user is the IP address assigned by the ISP.
• If DHCP or BOOTP is used, provision must be made on the relay agent for packets with a source IP address of  0.0.0.0 and a destination IP address of 255.255.255.255.
• BCP 84 is aimed at ISPs and edge network operators, and describes different methods of reverse path forwarding (RPF) which can be used to thwart DDoS attacks. If RPF is employed, the router will check the source IP address of a packet, which will only be forwarded if they come from the router's best route to the source of the packet. Otherwise, the packet will be dropped.