[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: good IPF firewall ruleset
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: good IPF firewall ruleset
- From: "Irwin R. Naumann" <irwin_(_at_)_thinkage_(_dot_)_ca>
- Date: Thu, 20 Sep 2001 16:56:42 -0400 (EDT)
> From owner-misc_(_at_)_openbsd_(_dot_)_org Thu Sep 20 16:41:15 2001
> Date: Thu, 20 Sep 2001 15:42:17 -0500 (CDT)
> From: "Joshua b. Jore" <josh_(_at_)_greentechnologist_(_dot_)_org>
> X-X-Sender: <josh_(_at_)_aaieee_(_dot_)_daisy-chan_(_dot_)_org>
> To: Gunnar Wolf <gwolf_(_at_)_campus_(_dot_)_iztacala_(_dot_)_unam_(_dot_)_mx>
> Cc: marrandy <marrandy_(_at_)_chaossolutions_(_dot_)_org>, <misc_(_at_)_openbsd_(_dot_)_org>
> Subject: Re: good IPF firewall ruleset
> MIME-Version: 1.0
> Content-Type> : > TEXT/PLAIN> ; > charset=US-ASCII>
> Sender: owner-misc_(_at_)_openbsd_(_dot_)_org
> X-Loop: misc_(_at_)_openbsd_(_dot_)_org
> Content-Length: 3829
>
> So... I've checked out http://www.iana.org/assignments/ipv4-address-space
> and it's raised more questions that it answered. There are whole chunks of
> netspace that are IANA reserved but I didn't read of these as special.
>
> Let me just stop a second here and explain what I want to do. I want to
> enumerate those netblocks that I can (a) expect to never receive traffic
> from and/or (b) expect to never send traffic to. Given that information
> I'd want to put that into a ruleset so that IPF can enforce IP addressing
> correctness.
>
> Here's how I read this (and I am *not* an IP person. I just do the best
> job I can)
> 'Reserved' => 'Offlimits and may be blocked'
> 'Private Use' => 'May be blocked'
> 'Public Data Network' => 'Dunno. Help?'
> 'Multicast' => 'Dunno. Help?'
>
> So from this information I've figured out what IANA allows me to block.
> The next step would be to get the same data from APNIC, ARIN and RIPE,
> right? Any ideas about how to do that especially since the databases
> aren't available for download?
>
> Joshua Jore
>
> grep IANA ipv4-address-space >
> 000/8 IANA - Reserved Sep 81
> 001/8 IANA - Reserved Sep 81
> 002/8 IANA - Reserved Sep 81
> 005/8 IANA - Reserved Jul 95
> 007/8 IANA - Reserved Apr 95
> 010/8 IANA - Private Use Jun 95
> 014/8 IANA - Public Data Network Jun 91
> 023/8 IANA - Reserved Jul 95
> 027/8 IANA - Reserved Apr 95
> 031/8 IANA - Reserved Apr 99
> 036/8 IANA - Reserved Jul 00
> 037/8 IANA - Reserved Apr 95
> 039/8 IANA - Reserved Apr 95
> 041/8 IANA - Reserved May 95
> 042/8 IANA - Reserved Jul 95
> 049/8 IANA - Reserved
> 050/8 IANA - Reserved Mar 98
> 058/8 IANA - Reserved Sep 81
> 059/8 IANA - Reserved Sep 81
> 060/8 IANA - Reserved Sep 81
> 069-079/8 IANA - Reserved Sep 81
> 082-095/8 IANA - Reserved Sep 81
> 096-126/8 IANA - Reserved Sep 81
> 127/8 IANA - Reserved Sep 81
> 197/8 IANA - Reserved May 93
> 219-223/8 IANA - Reserved Sep 81
> 224-239/8 IANA - Multicast Sep 81
> 240-255/8 IANA - Reserved Sep 81
>
> Joshua Jore
> Minneapolis Ward 3, precinct 10
> "The irony of this man being imprisoned in the United States and longing
> to return to once-Communist Russia so he can regain his right to free
> speech is simply staggering." - Paul Cantrell, St Paul area software
> developer
>
You should not see traffic from the above address blocks. If you do the
addresses are spoofed.
The 010/8 is also mentioned in RFC1918 - Address Allocation for
Private Internets. This RFC describes 10/8, 172.16/12 and 192.168/16 addresses
as reserved for "private internets". That's why many people use the 192.168.*.*
address for their home networks behind a NAT or firewall device.
The multicast addresses should not pass beyond a LAN's boundaries.
There an internet draft "Documenting Special Use IPv4 Address Blocks that
have been registered with IANA"
http://search.ietf.org/internet-drafts/draft-manning-dsua-06.txt
that describes "special use prefixes" of IPv4 address space:
0.0.0.0/8
127.0.0.0/8
192.0.2.0/24
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
all D/E space
Irwin
Visit your host, monkey.org