Re: anti spoofing / network address

To: debian-firewall@lists.debian.org
Subject: Re: anti spoofing / network address
From: Daniel Pittman <daniel@rimspace.net>
Date: Wed, 07 Apr 2004 10:58:52 +1000
Message-id: <[🔎] 87r7v0eh83.fsf@enki.rimspace.net>
References: <[🔎] 1081286365.18552.58.camel@milka>

On 07 Apr 2004, Eddy Petrisor wrote:
> Can you tell me something related to the $subj?
> 
> If I have an internal network that has class private IPs (172.16.),
> and I am putting (in fact, firewall builder is putting it) the
> following rule in the firewall, does this work for all the IPs in the
> subnet, or is not working at all (trying to match that single IP)?
> 
> iptables -A INPUT -i eth1 -s 172.16.0.0/255.255.0.0 -j IRULE_0_eth1
> iptables -A FORWARD -i eth1 -s 172.16.0.0/255.255.0.0 -j IRULE_0_eth1
> 
> I am a total newbie at this, so if the data is incomplete/incorrect,
> please tell me so I can correct it.

I think I understand your question here, but if I have not please
correct me.

I think your question is if those two rules will match only one host, or
if they will match *all* the hosts behind the router.

There are two issues there.  The first one is the "network mask" issue,
which is the '-s 172.16.0.0/255.255.0.0' part of those rules.

Basically, the test is "does the IP address AND the netmask match the
prefix?"

So, given your netmask is 255.255.0.0 here, only the first two bytes of
the IP address being matched will be significant.  That is, for the
address 192.168.23.253, only the '192.168' part would be signficant.

So, those rules will match anything which is '172.16.?.?' - so, yes,
those will match all the IP addresses in your subnet.

The second issue is the chain.  There are two chains in play here, the
INPUT chain and the FORWARD chain.

The INPUT chain is used for IP packets that the routing table states
should come to the local machine.

The FORWARD chain is used for IP packets that the routing table states
are to be forwarded from this machine to another machine.

So, with the two statements, you *will* send any packet to the
172.16.0.0/255.255.0.0 network (your subnet) sent to either the router,
or the machines behind it.

For what it is worth, if you don't really have a solid grasp of some of
the concepts here you may do better with something a bit more helpful
than "Firewall Builder", such as 'firehol' or 'shorewall'.

They provide a more automatic method for providing the sort of
protection you generally need for a system, and make it easier to get
the experience you need to build secure firewalls.

Personally, I use 'firehol', which is in testing and unstable, or at
<http://firehol.sf.net/>, and which does scale to complex systems as
well as being simple to use for basic configuration.

I hope that helped,
  Daniel

-- 
Hypocrisy is the Vaseline of social intercourse. -- J. R. Newman

Reply to:

References:
- anti spoofing / network address
  - From: Eddy Petrisor <eddyp-guest@userbeam.de>

Prev by Date: anti spoofing / network address
Next by Date: Re: no way to get out
Previous by thread: anti spoofing / network address
Next by thread: Blocking windows messages
Index(es):
- Date
- Thread