[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Contribute to pf(4)

To: mrman@darkside.org (Joseph W. Shaw II)
Subject: Re: Contribute to pf(4)
From: Darren Reed <avalon@coombs.anu.edu.au>
Date: Tue, 16 Jul 2002 23:42:19 +1000 (Australia/ACT)
Cc: misc@openbsd.org

In some mail from Joseph W. Shaw II, sie said:
[...]
> In essence you're saying blocking possible spoofed traffic is a waste of
> time and not an indicator of abnormal network behavior, or am I
> misunderstanding you Theo?  That would seem to fly in the face of accepted
> network security practices endorsed by just about everyone.  It's
> considered a good idea to block RFC1918 reserved address space for public
> use, but not other unassigned/reserved space according to you?

Think about it like this.

Typically you have a set of services you want "the internet" to access
and a set of services you don't want "the internet" to access.  Of the
things you don't want "the internet" to access, you typically have a
finite list of those that you want to and this will in one way or another
be enumerated in your access control configuration file(s).

When you think about offering a service to "the internet", you typically
do not care which IP address it is or isn't coming from.  In such cases,
defining "the internet" (I hope it will forgive me the lack of I's) to
include addresses that are 'impossible' makes no difference.  Except of
course if you happen to use the same set of addresses internally.

In practice I don't personally believe defining it to include, or not
include, such networks as 192.168/16 or 10/8 or whatever else, makes
any real difference to your security if you do not use any of those
addresses internally.  For practical purposes, you should *always* be
blocking all traffic which appears on your outside doorstep, using an
internal address.  I like to leave considering the problem of the
complexity and difference/accuracy of rules that explicitly mention
all of the "reserved" networks to people like my boss who seem to take
inordinate amounts of pleasure thinking about such topics.

Mind you, this is just my thoughts on it.  Don't let my opinions stop
you from doing what you believe is correct, for the end goal is to
acheive something that lets you/me sleep at night.  Different strokes
for different folks.

Darren

References:
- Re: Contribute to pf(4)
  - From: "Joseph W. Shaw II" <mrman@darkside.org>

Prev by Date: Re: Blade 100 and Swedish keyboard problem.
Next by Date: Re: Contribute to pf(4)
Prev by thread: Re: Contribute to pf(4)
Next by thread: Re: Contribute to pf(4)
Index(es):
- Date
- Thread