---
title: Default network security lists should restrict all non ICMP traffic
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Default network security lists should
  restrict all non ICMP traffic
---

# Default network security lists should restrict all non ICMP traffic
 
## Description{% #description %}

Security lists provide stateful and stateless filtering of ingress and egress network traffic to OCI resources on a subnet level. Default security lists should restrict all non-ICMP traffic from `0.0.0.0/0` (IPv4) and `::/0` (IPv6) to prevent unauthorized access. This rule specifically targets default security lists and ensures they do not allow unrestricted ingress from any IP address (`0.0.0.0/0` or `::/0`) for non-ICMP protocols, nor allow unrestricted egress to any destination (`0.0.0.0/0` or `::/0`) for all protocols. Non-default security lists are automatically skipped from this evaluation.

## Remediation{% #remediation %}

Remove or modify ingress security rules in default security lists that allow non-ICMP traffic from `0.0.0.0/0` (IPv4) or `::/0` (IPv6). Remove or modify egress security rules that allow traffic to `0.0.0.0/0` (IPv4) or `::/0` (IPv6). Instead, restrict access to specific IP ranges or use VPN connections. For guidance on configuring network security lists, refer to the [Updating Rules in a Security List](https://docs.oracle.com/iaas/Content/Network/Concepts/update-securitylist.htm) section of the Oracle Cloud Infrastructure documentation.