From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: where list of **reserved address**??? (IP addresses can *drop*)
Date: Wed, 27 Apr 2005 14:18:49 -0400 [thread overview]
Message-ID: <20050427181849.GA23747@bender.817west.com> (raw)
In-Reply-To: <Pine.LNX.4.60.0504271331080.9550@darkstar.sysinfo.com>
On Wed, Apr 27, 2005 at 01:33:52PM -0400, R. DuFresne wrote:
> The only real reason to have to have a bogon listing of rules in a
> firewall are those firewalls that tend to be permissive. Firewalls with
> default deny policies should not have to deal with keeping an up-to-date
> listing of the bogons, nor all the clutter and added overhead of rules to
> disallow these addresses.
that's an odd view. the most common reason i see for people wanting to
filter "bogons" is when you make services available to "any" in your DMZ
(web, mail, dns, etc), and you want to filter out bogus src IP's as they
are obviously spoofed and the sender is up to no good. <rant>of course
none of this would be necessary if f**king ISP's would just perform some
f**king egress filtering, but i digress...</rant>.
as to the security benefit this provides--i'd guess it's pretty
negligible. i've run firewalls that filter out the unassigned and
reserved address spaces, and they do not get a lot of hits. if i was
going to spoof my src IP, i wouldn't use an unassigned or reserved block,
i'd probably use another entity i didn't like...
oh and PS--if you wanna do this--use a list (or write your own script)
that summarizes the netblocks down, so you have ~40 rules instead of
100+.
-j
--
"Peter: Hey, Lois, the lost my job smells great. Hey, Meg, could
you pass me the fired my ass for negligence?
Lois: Peter, are you OK?
Peter: Great. I haven't got a job in the world."
--Family Guy
next prev parent reply other threads:[~2005-04-27 18:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-26 18:19 where list of **reserved address**??? (IP addresses can *drop*) Christian Seberino
2005-04-26 18:21 ` Michael Weinert
2005-04-26 18:29 ` Jason Opperisano
2005-04-27 15:35 ` Taylor, Grant
2005-04-27 17:33 ` R. DuFresne
2005-04-27 18:18 ` Jason Opperisano [this message]
2005-04-27 19:58 ` James Sneeringer
2005-04-27 21:22 ` R. DuFresne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050427181849.GA23747@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.