* where list of **reserved address**??? (IP addresses can *drop*)
@ 2005-04-26 18:19 Christian Seberino
2005-04-26 18:21 ` Michael Weinert
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Christian Seberino @ 2005-04-26 18:19 UTC (permalink / raw)
To: netfilter
where list of **reserved address**??? (IP address can *drop*)
I had a list but I keep having to remove IP addresses from
it....either list keeps changing or my list is crap....
0.0.0.0/8
1.0.0.0/8
2.0.0.0/8
5.0.0.0/8
7.0.0.0/8
10.0.0.0/8
23.0.0.0/8
27.0.0.0/8
31.0.0.0/8
36.0.0.0/8
37.0.0.0/8
39.0.0.0/8
41.0.0.0/8
42.0.0.0/8
58.0.0.0/8
59.0.0.0/8
60.0.0.0/8
71.0.0.0/8
72.0.0.0/8
73.0.0.0/8
74.0.0.0/8
75.0.0.0/8
76.0.0.0/8
77.0.0.0/8
78.0.0.0/8
79.0.0.0/8
83.0.0.0/8
84.0.0.0/8
85.0.0.0/8
86.0.0.0/8
87.0.0.0/8
88.0.0.0/8
89.0.0.0/8
90.0.0.0/8
91.0.0.0/8
92.0.0.0/8
93.0.0.0/8
94.0.0.0/8
95.0.0.0/8
96.0.0.0/8
97.0.0.0/8
98.0.0.0/8
99.0.0.0/8
100.0.0.0/8
101.0.0.0/8
102.0.0.0/8
103.0.0.0/8
104.0.0.0/8
105.0.0.0/8
106.0.0.0/8
107.0.0.0/8
108.0.0.0/8
109.0.0.0/8
110.0.0.0/8
111.0.0.0/8
112.0.0.0/8
113.0.0.0/8
114.0.0.0/8
115.0.0.0/8
116.0.0.0/8
117.0.0.0/8
118.0.0.0/8
119.0.0.0/8
120.0.0.0/8
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
124.0.0.0/8
125.0.0.0/8
126.0.0.0/8
127.0.0.0/8
172.16.0.0/12
197.0.0.0/8
201.0.0.0/8
218.0.0.0/8
219.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
223.0.0.0/8
224.0.0.0/4
240.0.0.0/5
241.0.0.0/8
242.0.0.0/8
243.0.0.0/8
244.0.0.0/8
245.0.0.0/8
246.0.0.0/8
247.0.0.0/8
248.0.0.0/8
249.0.0.0/8
250.0.0.0/8
251.0.0.0/8
252.0.0.0/8
253.0.0.0/8
254.0.0.0/8
255.0.0.0/8
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: where list of **reserved address**??? (IP addresses can *drop*) 2005-04-26 18:19 where list of **reserved address**??? (IP addresses can *drop*) Christian Seberino @ 2005-04-26 18:21 ` Michael Weinert 2005-04-26 18:29 ` Jason Opperisano 2005-04-27 15:35 ` Taylor, Grant 2 siblings, 0 replies; 8+ messages in thread From: Michael Weinert @ 2005-04-26 18:21 UTC (permalink / raw) To: netfilter [-- Attachment #1: Type: text/plain, Size: 607 bytes --] Am Dienstag, 26. April 2005 20:19 schrieb Christian Seberino: What about this: wget http://www.iana.org/assignments/ipv4-address-space Michael. > where list of **reserved address**??? (IP address can *drop*) > > I had a list but I keep having to remove IP addresses from > it....either list keeps changing or my list is crap.... -- SysQuadrat Systeme mit Sicherheit Michael Weinert Stuttgart Filderstadt-Plattenhardt Tel.: 0711-9970288 Fax: 5360559 Mobil: 0170-4141273 http://www.linux-firewall.de weinert@sys2.de KeyServer hkp://pgp.mit.edu [-- Attachment #2: Type: application/pgp-signature, Size: 676 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: where list of **reserved address**??? (IP addresses can *drop*) 2005-04-26 18:19 where list of **reserved address**??? (IP addresses can *drop*) Christian Seberino 2005-04-26 18:21 ` Michael Weinert @ 2005-04-26 18:29 ` Jason Opperisano 2005-04-27 15:35 ` Taylor, Grant 2 siblings, 0 replies; 8+ messages in thread From: Jason Opperisano @ 2005-04-26 18:29 UTC (permalink / raw) To: netfilter On Tue, Apr 26, 2005 at 11:19:03AM -0700, Christian Seberino wrote: > where list of **reserved address**??? (IP address can *drop*) > > I had a list but I keep having to remove IP addresses from > it....either list keeps changing or my list is crap.... the source is: http://www.iana.org/assignments/ipv4-address-space and yes--it's a moving target; it actually was just updated on 12Apr2005... allocated networks get returned, unallocated networks get allocated--such is the ebb and flow of life. RFC 3330 (http://www.faqs.org/rfcs/rfc3330.html) has more IP addresses that are for "special use" (hint: don't block those cable TV's, they've gotten on the Internet in a big way somehow). write an app to fetch/parse the list and update your "bogon list." speaking of that term--google for it and you'll find some folks who've done the work for you. -j -- "Stewie: Mark my words, your uppance shall come." --Family Guy ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: where list of **reserved address**??? (IP addresses can *drop*) 2005-04-26 18:19 where list of **reserved address**??? (IP addresses can *drop*) Christian Seberino 2005-04-26 18:21 ` Michael Weinert 2005-04-26 18:29 ` Jason Opperisano @ 2005-04-27 15:35 ` Taylor, Grant 2005-04-27 17:33 ` R. DuFresne 2 siblings, 1 reply; 8+ messages in thread From: Taylor, Grant @ 2005-04-27 15:35 UTC (permalink / raw) To: netfilter > where list of **reserved address**??? (IP address can *drop*) > > I had a list but I keep having to remove IP addresses from > it....either list keeps changing or my list is crap.... As has been previously stated (in replies to your message) IANA has a list of reserved IP addresses (http://www.iana.org/assignments/ipv4-address-space) which will periodically change. So I wrote a small script (see below) that will lynx --dump the page and run and MD5 sum of it and dump it in to a file. Periodically (when ever I feel like having Cron run it) the script will run and compare the page on the web's MD5 sum to what I knew about. If the MD5 sum is different it will email me and let me know. Also you should look at RFC 3330 as it has a LOT of information (as do most RFCs) about network addresses that should be allowed to pass. Grant. . . . #!/bin/bash NewMD5Sum=`lynx --dump http://www.iana.org/assignments/ipv4-address-space | md5sum | cut -f1 -d\ ` OldMD5Sum=`md5sum ~gtaylor/docs/ipv4-address-space | cut -f1 -d\ ` if [ ${NewMD5Sum} != ${OldMD5Sum:=null} ]; then lynx --dump http://www.iana.org/assignments/ipv4-address-space > ~gtaylor/docs/ipv4-address-space cat ~gtaylor/docs/ipv4-address-space | mail -s "New IPv4 Address Space info from IANA (`ct`)" gtaylor@riverviewtech.net fi Note: ct is a small script that I wrote to give me a formated date output and is inconsequential in this matter. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: where list of **reserved address**??? (IP addresses can *drop*) 2005-04-27 15:35 ` Taylor, Grant @ 2005-04-27 17:33 ` R. DuFresne 2005-04-27 18:18 ` Jason Opperisano 0 siblings, 1 reply; 8+ messages in thread From: R. DuFresne @ 2005-04-27 17:33 UTC (permalink / raw) To: Taylor, Grant; +Cc: netfilter -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The only real reason to have to have a bogon listing of rules in a firewall are those firewalls that tend to be permissive. Firewalls with default deny policies should not have to deal with keeping an up-to-date listing of the bogons, nor all the clutter and added overhead of rules to disallow these addresses. Thanks, Ron DuFresne On Wed, 27 Apr 2005, Taylor, Grant wrote: >> where list of **reserved address**??? (IP address can *drop*) >> >> I had a list but I keep having to remove IP addresses from it....either >> list keeps changing or my list is crap.... > > As has been previously stated (in replies to your message) IANA has a list of > reserved IP addresses (http://www.iana.org/assignments/ipv4-address-space) > which will periodically change. So I wrote a small script (see below) that > will lynx --dump the page and run and MD5 sum of it and dump it in to a file. > Periodically (when ever I feel like having Cron run it) the script will run > and compare the page on the web's MD5 sum to what I knew about. If the MD5 > sum is different it will email me and let me know. > > Also you should look at RFC 3330 as it has a LOT of information (as do most > RFCs) about network addresses that should be allowed to pass. > > > > Grant. . . . > > > > #!/bin/bash > > NewMD5Sum=`lynx --dump http://www.iana.org/assignments/ipv4-address-space | > md5sum | cut -f1 -d\ ` > OldMD5Sum=`md5sum ~gtaylor/docs/ipv4-address-space | cut -f1 -d\ ` > > if [ ${NewMD5Sum} != ${OldMD5Sum:=null} ]; then > lynx --dump http://www.iana.org/assignments/ipv4-address-space > > ~gtaylor/docs/ipv4-address-space > cat ~gtaylor/docs/ipv4-address-space | mail -s "New IPv4 Address Space > info from IANA (`ct`)" gtaylor@riverviewtech.net > fi > > Note: ct is a small script that I wrote to give me a formated date output > and is inconsequential in this matter. > - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCb80Fst+vzJSwZikRAt/7AJ95D/jKUw/mT399nIQqcc9y7eUFiACfT2Jb YDA9moXlco2uUH9FVTMY+gI= =M1bD -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: where list of **reserved address**??? (IP addresses can *drop*) 2005-04-27 17:33 ` R. DuFresne @ 2005-04-27 18:18 ` Jason Opperisano 2005-04-27 19:58 ` James Sneeringer 2005-04-27 21:22 ` R. DuFresne 0 siblings, 2 replies; 8+ messages in thread From: Jason Opperisano @ 2005-04-27 18:18 UTC (permalink / raw) To: netfilter On Wed, Apr 27, 2005 at 01:33:52PM -0400, R. DuFresne wrote: > The only real reason to have to have a bogon listing of rules in a > firewall are those firewalls that tend to be permissive. Firewalls with > default deny policies should not have to deal with keeping an up-to-date > listing of the bogons, nor all the clutter and added overhead of rules to > disallow these addresses. that's an odd view. the most common reason i see for people wanting to filter "bogons" is when you make services available to "any" in your DMZ (web, mail, dns, etc), and you want to filter out bogus src IP's as they are obviously spoofed and the sender is up to no good. <rant>of course none of this would be necessary if f**king ISP's would just perform some f**king egress filtering, but i digress...</rant>. as to the security benefit this provides--i'd guess it's pretty negligible. i've run firewalls that filter out the unassigned and reserved address spaces, and they do not get a lot of hits. if i was going to spoof my src IP, i wouldn't use an unassigned or reserved block, i'd probably use another entity i didn't like... oh and PS--if you wanna do this--use a list (or write your own script) that summarizes the netblocks down, so you have ~40 rules instead of 100+. -j -- "Peter: Hey, Lois, the lost my job smells great. Hey, Meg, could you pass me the fired my ass for negligence? Lois: Peter, are you OK? Peter: Great. I haven't got a job in the world." --Family Guy ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: where list of **reserved address**??? (IP addresses can *drop*) 2005-04-27 18:18 ` Jason Opperisano @ 2005-04-27 19:58 ` James Sneeringer 2005-04-27 21:22 ` R. DuFresne 1 sibling, 0 replies; 8+ messages in thread From: James Sneeringer @ 2005-04-27 19:58 UTC (permalink / raw) To: netfilter On Wed, Apr 27, 2005 at 02:18:49PM -0400, Jason Opperisano wrote: > oh and PS--if you wanna do this--use a list (or write your own script) > that summarizes the netblocks down, so you have ~40 rules instead of > 100+. Cymru's bogon site provides such a list for download. http://www.cymru.com/Bogons/ http://www.cymru.com/Documents/bogon-bn-agg.txt -James ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: where list of **reserved address**??? (IP addresses can *drop*) 2005-04-27 18:18 ` Jason Opperisano 2005-04-27 19:58 ` James Sneeringer @ 2005-04-27 21:22 ` R. DuFresne 1 sibling, 0 replies; 8+ messages in thread From: R. DuFresne @ 2005-04-27 21:22 UTC (permalink / raw) To: Jason Opperisano; +Cc: netfilter -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 27 Apr 2005, Jason Opperisano wrote: > On Wed, Apr 27, 2005 at 01:33:52PM -0400, R. DuFresne wrote: >> The only real reason to have to have a bogon listing of rules in a >> firewall are those firewalls that tend to be permissive. Firewalls with >> default deny policies should not have to deal with keeping an up-to-date >> listing of the bogons, nor all the clutter and added overhead of rules to >> disallow these addresses. > > that's an odd view. the most common reason i see for people wanting to > filter "bogons" is when you make services available to "any" in your DMZ > (web, mail, dns, etc), and you want to filter out bogus src IP's as they > are obviously spoofed and the sender is up to no good. <rant>of course > none of this would be necessary if f**king ISP's would just perform some > f**king egress filtering, but i digress...</rant>. agreed on the egess filtering and most reasons I've seen for not doing egrees on netwokr borders are bogus. But again a dmz firewall tends to be more permissive then a default deny policy, so does not alter my stance on this. DMZ tend to be 'danger zones' anyways, and have to be permissive... > > as to the security benefit this provides--i'd guess it's pretty > negligible. i've run firewalls that filter out the unassigned and > reserved address spaces, and they do not get a lot of hits. if i was > going to spoof my src IP, i wouldn't use an unassigned or reserved block, > i'd probably use another entity i didn't like... > > oh and PS--if you wanna do this--use a list (or write your own script) > that summarizes the netblocks down, so you have ~40 rules instead of > 100+. > What I was trying to get across, and this might be what you sir are also saying, is the resources for all the inactive bogons can really add to a rulebase, the traversal of that rulebase and the resources that it takes to maintain it in processing power, time and memory, let alone keeping the list up-to-date, not to mention the latency that parsing a huge rulebase can have on connectivity... Of course, I'm talking permititer firewalling, sure perhaps their are reasons to have especially complicated rule sets internally, to prevent employee's from doing things they should not or only permitting finace folks to get to finace servers and such, but, some of the things folks are doing at their perimiters are not only messy, but, downright near to dangerous in the maintainance of the schemes trying to be employed. But, please, excuse my rants, I've been fighting battles all day with vendors lacking clues and clients being absurd, all part of the daily <smile>... My best to you and yours sir <and list>, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCcAKost+vzJSwZikRAhZ3AJ9h2qesncsduTc83B+DJMu4lX8HRgCfaTd+ CPyaITCpTVV17h5fNzkkkTc= =Pv3J -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2005-04-27 21:22 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-04-26 18:19 where list of **reserved address**??? (IP addresses can *drop*) Christian Seberino 2005-04-26 18:21 ` Michael Weinert 2005-04-26 18:29 ` Jason Opperisano 2005-04-27 15:35 ` Taylor, Grant 2005-04-27 17:33 ` R. DuFresne 2005-04-27 18:18 ` Jason Opperisano 2005-04-27 19:58 ` James Sneeringer 2005-04-27 21:22 ` R. DuFresne
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.