[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: good IPF firewall ruleset



> From owner-misc_(_at_)_openbsd_(_dot_)_org  Thu Sep 20 16:41:15 2001
> Date: Thu, 20 Sep 2001 15:42:17 -0500 (CDT)
> From: "Joshua b. Jore" <josh_(_at_)_greentechnologist_(_dot_)_org>
> X-X-Sender: <josh_(_at_)_aaieee_(_dot_)_daisy-chan_(_dot_)_org>
> To: Gunnar Wolf <gwolf_(_at_)_campus_(_dot_)_iztacala_(_dot_)_unam_(_dot_)_mx>
> Cc: marrandy <marrandy_(_at_)_chaossolutions_(_dot_)_org>, <misc_(_at_)_openbsd_(_dot_)_org>
> Subject: Re: good IPF firewall ruleset
> MIME-Version: 1.0
> Content-Type> : > TEXT/PLAIN> ; > charset=US-ASCII> 
> Sender: owner-misc_(_at_)_openbsd_(_dot_)_org
> X-Loop: misc_(_at_)_openbsd_(_dot_)_org
> Content-Length: 3829
> 
> So... I've checked out http://www.iana.org/assignments/ipv4-address-space
> and it's raised more questions that it answered. There are whole chunks of
> netspace that are IANA reserved but I didn't read of these as special.
> 
> Let me just stop a second here and explain what I want to do. I want to
> enumerate those netblocks that I can (a) expect to never receive traffic
> from and/or (b) expect to never send traffic to. Given that information
> I'd want to put that into a ruleset so that IPF can enforce IP addressing
> correctness.
> 
> Here's how I read this (and I am *not* an IP person. I just do the best
> job I can)
> 'Reserved' => 'Offlimits and may be blocked'
> 'Private Use' => 'May be blocked'
> 'Public Data Network' => 'Dunno. Help?'
> 'Multicast' => 'Dunno. Help?'
> 
> So from this information I've figured out what IANA allows me to block.
> The next step would be to get the same data from APNIC, ARIN and RIPE,
> right? Any ideas about how to do that especially since the databases
> aren't available for download?
> 
> Joshua Jore
> 
> grep IANA ipv4-address-space >
> 000/8		IANA - Reserved				Sep 81
> 001/8		IANA - Reserved				Sep 81
> 002/8		IANA - Reserved				Sep 81
> 005/8		IANA - Reserved				Jul 95
> 007/8		IANA - Reserved				Apr 95
> 010/8		IANA - Private Use			Jun 95
> 014/8		IANA - Public Data Network		Jun 91
> 023/8		IANA - Reserved				Jul 95
> 027/8		IANA - Reserved				Apr 95
> 031/8		IANA - Reserved				Apr 99
> 036/8		IANA - Reserved 			Jul 00
> 037/8		IANA - Reserved				Apr 95
> 039/8		IANA - Reserved				Apr 95
> 041/8		IANA - Reserved				May 95
> 042/8		IANA - Reserved				Jul 95
> 049/8		IANA - Reserved
> 050/8		IANA - Reserved				Mar 98
> 058/8		IANA - Reserved				Sep 81
> 059/8		IANA - Reserved				Sep 81
> 060/8		IANA - Reserved				Sep 81
> 069-079/8	IANA - Reserved				Sep 81
> 082-095/8	IANA - Reserved				Sep 81
> 096-126/8	IANA - Reserved				Sep 81
> 127/8		IANA - Reserved				Sep 81
> 197/8		IANA - Reserved				May 93
> 219-223/8       IANA - Reserved				Sep 81
> 224-239/8	IANA - Multicast			Sep 81
> 240-255/8	IANA - Reserved				Sep 81
> 
> Joshua Jore
> Minneapolis Ward 3, precinct 10
>   "The irony of this man being imprisoned in the United States and longing
> to return to once-Communist Russia so he can regain his right to free
> speech is simply staggering." - Paul Cantrell, St Paul area software
> developer
> 

You should not see traffic from the above address blocks. If you do the
addresses are spoofed.

The 010/8 is also mentioned in RFC1918 - Address Allocation for
Private Internets. This RFC describes 10/8, 172.16/12 and 192.168/16 addresses
as reserved for "private internets". That's why many people use the 192.168.*.*
address for their home networks behind a NAT or firewall device.

The multicast addresses should not pass beyond a LAN's boundaries.

There an internet draft "Documenting Special Use IPv4 Address Blocks that
have been registered with IANA" 

 http://search.ietf.org/internet-drafts/draft-manning-dsua-06.txt

that describes "special use prefixes" of IPv4 address space:
  0.0.0.0/8
  127.0.0.0/8
  192.0.2.0/24
  10.0.0.0/8
  172.16.0.0/12
  192.168.0.0/16
  169.254.0.0/16
  all D/E space

   Irwin