subnet problem

All of lore.kernel.org
 help / color / mirror / Atom feed

* subnet problem
@ 2004-07-18 20:50 Mail Lists
  2004-07-18 21:02 ` Antony Stone
  0 siblings, 1 reply; 8+ messages in thread
From: Mail Lists @ 2004-07-18 20:50 UTC (permalink / raw)
  To: netfilter

  I'd appreciate help here.

  I disallow iana reserved and some rfc 1918 from my firewall.

  The line in question is this:

  cRES_LDROP  all  --  172.16.0.0/12        0.0.0.0/0

  which I would expect to block 172.16 to 172.31. 

  However I get these in my log files:

  Jul 18 16:21:47 fw kernel:  [FW Drop-Res] IN=eth1 OUT= MAC=<xx> SRC=172.139.140.122 DST=<myip> LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=30189 DF PROTO=TCP SPT=3477 DPT=1025 WINDOW=16384 RES=0x00 SYN URGP=0

   I'm stumped - why did 172.139 get dropped here? Not that the packet 
 wouldn't have gotten dropped later anyway but this rule should not
 have matched?

 Suggestions?

  gene/

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: subnet problem
  2004-07-18 20:50 subnet problem Mail Lists
@ 2004-07-18 21:02 ` Antony Stone
  2004-07-18 22:10   ` Mail Lists
  0 siblings, 1 reply; 8+ messages in thread
From: Antony Stone @ 2004-07-18 21:02 UTC (permalink / raw)
  To: netfilter

On Sunday 18 July 2004 9:50 pm, Mail Lists wrote:

>   I disallow iana reserved and some rfc 1918 from my firewall.
>
>   cRES_LDROP  all  --  172.16.0.0/12        0.0.0.0/0
>
>   which I would expect to block 172.16 to 172.31.
>
>   However I get these in my log files:
>
>   Jul 18 16:21:47 fw kernel:  [FW Drop-Res] IN=eth1 OUT= MAC=<xx>
> SRC=172.139.140.122 DST=<myip> LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=30189
> DF PROTO=TCP SPT=3477 DPT=1025 WINDOW=16384 RES=0x00 SYN URGP=0
>
>    I'm stumped - why did 172.139 get dropped here? Not that the packet
>  wouldn't have gotten dropped later anyway but this rule should not
>  have matched?
>
>  Suggestions?

Please post your ruleset so we can see everything relating to cRES_LDROP.

Regards,

Antony.

-- 
If you can't find an Open Source solution for it, then it isn't a real 
problem.

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: subnet problem
  2004-07-18 21:02 ` Antony Stone
@ 2004-07-18 22:10   ` Mail Lists
  2004-07-19  9:12     ` Antony Stone
  2004-07-19 10:52     ` John A. Sullivan III
  0 siblings, 2 replies; 8+ messages in thread
From: Mail Lists @ 2004-07-18 22:10 UTC (permalink / raw)
  To: netfilter


 Right - thanks for any insights - more details below.

On Sun, Jul 18, 2004 at 10:02:20PM +0100, Antony Stone wrote:
> On Sunday 18 July 2004 9:50 pm, Mail Lists wrote:
> 
> >   cRES_LDROP  all  --  172.16.0.0/12        0.0.0.0/0
> >   which I would expect to block 172.16 to 172.31.
> >   ... blocked on 172.139.140.122
> >   ...
> Please post your ruleset so we can see everything relating to cRES_LDROP.
> 

 Hi:

   More details - firewall generated by a script - this is the
   what the script actually runs ... I've removed some (hopefully)
   not relevant bits and heres the remainder of script output.

   If its easier I'm happy to post the script itself.
 
#Starting iptables firewall ... 
#  Initializing Iptables Firewall ...
#  ** Entering Test mode - nothing is actually run now

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X             # Remove any existing user-defined chains.
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP


#  User defined Chains ...
#  [ ...  delete non-relevant stuff ]

iptables --new cRES_LDROP
iptables -F cRES_LDROP
iptables -A cRES_LDROP -j LOG --log-level info --log-prefix  [FW Drop-Res] 
iptables -A cRES_LDROP -j DROP

#  [ ... Drop self ips on outside i/f, accept local and so on ]
          
#  [ ... Closed outbound Ports ..., nfs, X11, IRC, MSFT,  etc ]

#  [ ... NAT - whats allowed - the ususal established related etc ]
#  [ ... Local traffic allowed ... ]

#  Drop reserved, broadcast rfc 1918 etc 

iptables -A INPUT   -d 0.0.0.0 -i eth1 -j cRES_LDROP
iptables -A FORWARD -d 0.0.0.0 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -s 0.0.0.0 -o eth1 -j cRES_LDROP
iptables -A FORWARD -s 0.0.0.0 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 10.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 10.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 10.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 10.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 172.16.0.0/12 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 172.16.0.0/12 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 172.16.0.0/12 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 172.16.0.0/12 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 224.0.0.0/4 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 224.0.0.0/4 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 224.0.0.0/4 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 224.0.0.0/4 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 255.255.255.255 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 255.255.255.255 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 255.255.255.255 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 255.255.255.255 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 1.0.0.0/7 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 1.0.0.0/7 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 1.0.0.0/7 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 1.0.0.0/7 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 2.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 2.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 2.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 2.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 5.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 5.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 5.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 5.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 7.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 7.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 7.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 7.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 23.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 23.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 23.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 23.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 27.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 27.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 27.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 27.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 31.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 31.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 31.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 31.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 36.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 36.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 36.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 36.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 37.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 37.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 37.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 37.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 39.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 39.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 39.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 39.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 41.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 41.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 41.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 41.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 42.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 42.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 42.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 42.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 71.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 71.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 71.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 71.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 72.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 72.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 72.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 72.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 73.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 73.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 73.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 73.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 74.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 74.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 74.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 74.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 75.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 75.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 75.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 75.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 76.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 76.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 76.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 76.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 77.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 77.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 77.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 77.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 78.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 78.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 78.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 78.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 79.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 79.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 79.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 79.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 89.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 89.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 89.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 89.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 90.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 90.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 90.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 90.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 91.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 91.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 91.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 91.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 92.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 92.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 92.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 92.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 93.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 93.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 93.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 93.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 94.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 94.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 94.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 94.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 95.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 95.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 95.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 95.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 96.0.0.0/3 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 96.0.0.0/3 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 96.0.0.0/3 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 96.0.0.0/3 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 173.0.0.0/5 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 173.0.0.0/5 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 173.0.0.0/5 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 173.0.0.0/5 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 181.0.0.0/6 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 181.0.0.0/6 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 181.0.0.0/6 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 181.0.0.0/6 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 185.0.0.0/7 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 185.0.0.0/7 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 185.0.0.0/7 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 185.0.0.0/7 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 187.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 187.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 187.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 187.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 189.0.0.0/7 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 189.0.0.0/7 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 189.0.0.0/7 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 189.0.0.0/7 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 197.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 197.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 197.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 197.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 223.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 223.0.0.0/8 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 223.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 223.0.0.0/8 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 224.0.0.0/4 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 224.0.0.0/4 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 224.0.0.0/4 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 224.0.0.0/4 -o eth1 -j cRES_LDROP
iptables -A INPUT   -s 240.0.0.0/4 -i eth1 -j cRES_LDROP
iptables -A FORWARD -s 240.0.0.0/4 -i eth1 -j cRES_LDROP
iptables -A OUTPUT  -d 240.0.0.0/4 -o eth1 -j cRES_LDROP
iptables -A FORWARD -d 240.0.0.0/4 -o eth1 -j cRES_LDROP


#  [... Allow Local SERVER offerings (smtp, http, etc) ]

#  [... Any services which are forwarded ... ]

#  [... Allow some ICMP  ... ]

iptables -A INPUT   -i eth1 -j cLDROP
iptables -A FORWARD -i eth1 -j cLDROP

# FW script done


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: subnet problem
  2004-07-18 22:10   ` Mail Lists
@ 2004-07-19  9:12     ` Antony Stone
  2004-07-20  3:15       ` Mail Lists
  2004-07-19 10:52     ` John A. Sullivan III
  1 sibling, 1 reply; 8+ messages in thread
From: Antony Stone @ 2004-07-19  9:12 UTC (permalink / raw)
  To: netfilter

On Sunday 18 July 2004 11:10 pm, Mail Lists wrote:

>    More details - firewall generated by a script - this is the
>    what the script actually runs ... I've removed some (hopefully)
>    not relevant bits and heres the remainder of script output.

You have some *really* weird netmasks in this list.   For example:

> #  User defined Chains ...
> #  Drop reserved, broadcast rfc 1918 etc
>
> iptables -A INPUT   -s 1.0.0.0/7 -i eth1 -j cRES_LDROP
> iptables -A INPUT   -s 173.0.0.0/5 -i eth1 -j cRES_LDROP
> iptables -A INPUT   -s 181.0.0.0/6 -i eth1 -j cRES_LDROP
> iptables -A INPUT   -s 185.0.0.0/7 -i eth1 -j cRES_LDROP
> iptables -A INPUT   -s 189.0.0.0/7 -i eth1 -j cRES_LDROP

The first first octet of all the above addresses is an odd number; therefore 
the LSB = 1, therefore any netmask shorter than 8 bits is inappropriate.

Regards,

Antony.

-- 
RTFM may be the appropriate reply, but please specify exactly which FM to R.

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: subnet problem
  2004-07-19  9:12     ` Antony Stone
@ 2004-07-20  3:15       ` Mail Lists
  2004-07-21 23:46         ` Mail Lists
  0 siblings, 1 reply; 8+ messages in thread
From: Mail Lists @ 2004-07-20  3:15 UTC (permalink / raw)
  To: netfilter

On Mon, Jul 19, 2004 at 10:12:04AM +0100, Antony Stone wrote:
> On Sunday 18 July 2004 11:10 pm, Mail Lists wrote:
> 
> > iptables -A INPUT   -s 1.0.0.0/7 -i eth1 -j cRES_LDROP
> > iptables -A INPUT   -s 173.0.0.0/5 -i eth1 -j cRES_LDROP
> > iptables -A INPUT   -s 181.0.0.0/6 -i eth1 -j cRES_LDROP
> > iptables -A INPUT   -s 185.0.0.0/7 -i eth1 -j cRES_LDROP
> > iptables -A INPUT   -s 189.0.0.0/7 -i eth1 -j cRES_LDROP
> 
> The first first octet of all the above addresses is an odd number; therefore 
> the LSB = 1, therefore any netmask shorter than 8 bits is inappropriate.

  Indeed - wacky list - will fix - I'm assuming that might cause
  problems. Looks like 173/5 is an attempt to represent is 
  173/8 thru 180/8 for example. 

  Will repair asap.

  Thanks kindly'

  gene/

> 
> Regards,
> 
> Antony.
> 
> -- 
> RTFM may be the appropriate reply, but please specify exactly which FM to R.
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: subnet problem
  2004-07-20  3:15       ` Mail Lists
@ 2004-07-21 23:46         ` Mail Lists
  0 siblings, 0 replies; 8+ messages in thread
From: Mail Lists @ 2004-07-21 23:46 UTC (permalink / raw)
  To: netfilter


On Mon, Jul 19, 2004 at 11:15:42PM -0400, Mail Lists wrote:
> On Mon, Jul 19, 2004 at 10:12:04AM +0100, Antony Stone wrote:
> > On Sunday 18 July 2004 11:10 pm, Mail Lists wrote:
> > 
> > The first first octet of all the above addresses is an odd number; therefore 
> > the LSB = 1, therefore any netmask shorter than 8 bits is inappropriate.
> Indeed - wacky list - will fix - 

  Just a thank you follow up. After cleaning up the subnet masks
  the only hit on reserved ips I have now (2 days or so) is an 
  ack/rst from 89.205.79.229 which is appropriately dropped.

  Thanks again

  gene/




^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: subnet problem
  2004-07-18 22:10   ` Mail Lists
  2004-07-19  9:12     ` Antony Stone
@ 2004-07-19 10:52     ` John A. Sullivan III
  2004-07-20  3:17       ` Mail Lists
  1 sibling, 1 reply; 8+ messages in thread
From: John A. Sullivan III @ 2004-07-19 10:52 UTC (permalink / raw)
  To: Mail Lists; +Cc: netfilter

On Sun, 2004-07-18 at 18:10, Mail Lists wrote:
>  Right - thanks for any insights - more details below.
> 
> On Sun, Jul 18, 2004 at 10:02:20PM +0100, Antony Stone wrote:
> > On Sunday 18 July 2004 9:50 pm, Mail Lists wrote:
> > 
> > >   cRES_LDROP  all  --  172.16.0.0/12        0.0.0.0/0
> > >   which I would expect to block 172.16 to 172.31.
> > >   ... blocked on 172.139.140.122
> > >   ...
> > Please post your ruleset so we can see everything relating to cRES_LDROP.
> > 
> 
>  Hi:
> 
>    More details - firewall generated by a script - this is the
>    what the script actually runs ... I've removed some (hopefully)
>    not relevant bits and heres the remainder of script output.
> 
>    If its easier I'm happy to post the script itself.
>  
> #Starting iptables firewall ... 
> #  Initializing Iptables Firewall ...
> #  ** Entering Test mode - nothing is actually run now
> 
> iptables -F
> iptables -F -t nat
> iptables -F -t mangle
> iptables -X             # Remove any existing user-defined chains.
> iptables -P INPUT   DROP
> iptables -P OUTPUT  DROP
> iptables -P FORWARD DROP
> 
> 
> #  User defined Chains ...
> #  [ ...  delete non-relevant stuff ]
> 
> iptables --new cRES_LDROP
> iptables -F cRES_LDROP
> iptables -A cRES_LDROP -j LOG --log-level info --log-prefix  [FW Drop-Res] 
> iptables -A cRES_LDROP -j DROP
<snip>
You are appending a logging rule and then appending a drop rule so the
order of processing would be log and then drop - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 




^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: subnet problem
  2004-07-19 10:52     ` John A. Sullivan III
@ 2004-07-20  3:17       ` Mail Lists
  0 siblings, 0 replies; 8+ messages in thread
From: Mail Lists @ 2004-07-20  3:17 UTC (permalink / raw)
  To: netfilter

On Mon, Jul 19, 2004 at 06:52:55AM -0400, John A. Sullivan III wrote:
> On Sun, 2004-07-18 at 18:10, Mail Lists wrote:
> <snip>
> You are appending a logging rule and then appending a drop rule so the
> order of processing would be log and then drop - John

   Yep - thats right - log it and then drop it - is that not ok?

   gene/


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2004-07-21 23:46 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-18 20:50 subnet problem Mail Lists
2004-07-18 21:02 ` Antony Stone
2004-07-18 22:10   ` Mail Lists
2004-07-19  9:12     ` Antony Stone
2004-07-20  3:15       ` Mail Lists
2004-07-21 23:46         ` Mail Lists
2004-07-19 10:52     ` John A. Sullivan III
2004-07-20  3:17       ` Mail Lists

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.