[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables for 1 interface pc and other questions

On Mon, Jan 20, 2003 at 09:35:16PM +0100, Benedict Verheyen wrote:
> Op ma 20-01-2003, om 18:42 schreef Nathan E Norman:
> > On Sun, Jan 19, 2003 at 11:27:04PM +0100, Bart-Jan Vrielink wrote:
> > > On zo, 2003-01-19 at 22:48, Benedict Verheyen wrote:
> > > 
> > > > RESERVED_NET="
> >  
> > [ snip ]
> > 
> > > >         69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
> > 
> > [ snip ]
> >  
> > > Before you set up such a firewall, please make sure you do not block
> > > valid ip networks only because you think they are invalid. See
> > > http://www.cymru.com/Bogons/ for a very good and up-to-date list of
> > > bogon networks. And consider subscribing to a list like
> > > bogon-announce@puck.nether.net that helps you to keep your firewall
> > > up-to-date whenever IANA assigns a new range.
> > 
> > Good advice.  For example, blocking 69/8 is certainly wrong ... it was
> > recently allocated.  There's been lengthy discussion on NANOG
> > (atleast) on what to do about people who are erroneously filtering
> > traffic to/from 69/8 ...
> > 
> > -- 
> > Nathan Norman - Incanus Networking mailto:nnorman@incanus.net
> >   No.
> >   > Should I include quotations after my reply?
> 
> I didn't know of the existance of this Bogons page. I'm going to
> suscribe to the list.
> I had a look at the page and it has a part that says:
> Dotted Decimal Non-aggregated in the Bogon Dotted Decimal 
> List v1.6 23 NOV 2002. Are these the ones that should be DROPped?

Yes, though if you're using iptables you might as well use the "Bit
Notation Non-aggregated" list instead.  Maybe it's personal preference
but I find the slash notation more intuitive than all the dotted
networks and masks ...

To reiterate: packets sent to or arriving from addresses in the Bogon
list are not valid! [1]

[1] Note that this applies to packets arriving or leaving on your
external link(s); If you're doing rfc1918 or have some horribly
designed network which was addressed using unassigned space (don't
laugh, I've seen people do that as well as "reuse" space allocated to
someone else) then the bogon rules don't (completely) apply to your
internal routers.

-- 
Nathan Norman - Incanus Networking mailto:nnorman@incanus.net
  Unix was not designed to stop people from doing stupid things,
  because that would also stop them from doing clever things.
          -- Doug Gwyn
Reply to: