Re: Arbitrary Netmasks

Re: Arbitrary Netmasks

[Joost Remijn]

On Tue, 28 May 2002, Stephen Frost wrote:

> * Thomas Heinz (josef.k@mytomorrow.de) wrote:
> > Netfilter supports arbitrary netmasks for IP addresses which is more
> > powerful than just those IP/x (0 <= x <= 32) expressions.
> > For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work
> > ;-).
> >
> > Are masks that cannot be expressed in the IP/x schmeme (at least not in one
> > rule) used in practise? Are they used at all in firewall rulesets?
>
> I'm pretty confident they're not valid and don't make sense.


But something like IP/255.255.255.192 is still valid and is probably used
quite a lot. At least i use it. It's easy to use a $NETMASK variable in
scripts for this.

Joost

Re: Arbitrary Netmasks

[Thomas Heinz]

Hi Joost

You wrote:

> But something like IP/255.255.255.192 is still valid and is probably used
> quite a lot. At least i use it. It's easy to use a $NETMASK variable in
> scripts for this.


IP/255.255.255.192 == IP/26


Thomas

Re: Arbitrary Netmasks

[Filipe Almeida]

I usually use:

iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP
iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP
iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP
iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP

to stop routing of broadcasted packets. This works assuming you only have 
256 sized classes.

At 15:18 28-05-2002 +0200, Thomas Heinz wrote:
>Hi
>
>Netfilter supports arbitrary netmasks for IP addresses which is more
>powerful than just those IP/x (0 <= x <= 32) expressions.
>For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-).
>
>Are masks that cannot be expressed in the IP/x schmeme (at least not in one
>rule) used in practise? Are they used at all in firewall rulesets?
>
>
>Thomas

Re: Arbitrary Netmasks

[Patrick Schaaf]

Hi,

(removed netfilter-devel from the headers, this is not a development Q)

> Netfilter supports arbitrary netmasks for IP addresses which is more
> powerful than just those IP/x (0 <= x <= 32) expressions.
> For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-).
> 
> Are masks that cannot be expressed in the IP/x schmeme (at least not in one
> rule) used in practise? Are they used at all in firewall rulesets?

They are used in practise. I have been using them with ipfwadm, and I am
using them with iptables.

What I use them for, is "statistical multiplexing" based on one or more
of the low bits (but not the lowest!) of IP addresses. For example, I have
a dual-processor system with two squid processes, and want to distribute
a number of incoming clients evenly (and deterministically) over the two
squid processes. For godgiven reasons, under light load, the "even"
client IPs are preferred over the "odd" client IPs. To get a good distribution
for both light load and full load, I look at the second lowest bit of the
client IP address to determine where to REDIRECT to, like this:

iptables -t nat -A PREROUTING -s 0.0.0.0/0.0.0.2 -j REDIRECT --to-port 1234
iptables -t nat -A PREROUTING -s 0.0.0.2/0.0.0.2 -j REDIRECT --to-port 1235

Another real world example I have seen in use in Cisco access-lists,
where the noncontigous mask works just like in iptables, is to pick
out "the same local ip" in a range of subnets. Imagine you have a
number of LANs with IP addresses 10.23.x.y/16, and y==1 is your
default gateway in every LAN. Given 10.23.0.1/255.255.0.255, you
have a single-rule expression for "all gateways in my LANs", which
is preferrable (if you manage to keep to the scheme!) to a sequential
list of rules, one per LAN.

best regards
  Patrick

Re: Arbitrary Netmasks

[Henrik Nordstrom]

Which is not generally a valid thing to assume.. the .255 and/or .0 
address may be in use on larger networks, especially if addresses are 
assigned dynamically using a large DHCP scope..


On Tuesday 28 May 2002 16:07, Filipe Almeida wrote:
> I usually use:
>
> iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP
> iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP
> iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP
> iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP
>
> to stop routing of broadcasted packets. This works assuming you
> only have 256 sized classes.

Re: Arbitrary Netmasks

[Henrik Nordstrom]

On Tuesday 28 May 2002 15:18, Thomas Heinz wrote:

> Netfilter supports arbitrary netmasks for IP addresses which is
> more powerful than just those IP/x (0 <= x <= 32) expressions.
> For example one could use IP/255.0.255.255 (IP/23.13.42.0 would
> also work ;-).

Yes, this is the fastest method when matching filter expressions..

> Are masks that cannot be expressed in the IP/x schmeme (at least
> not in one rule) used in practise? Are they used at all in firewall
> rulesets?

Not in real life networks, but such masks are useful in certain types 
of expressions, for example load balancing based on destination, or 
as wildcard matches for matching "all your routers / servers / 
whatever" assuming you have a well structured addressing scheme in 
your own networks..

Regards
Henrik

Re: Arbitrary Netmasks

[Thomas Lussnig]

[-- Attachment #1: Type: text/plain, Size: 998 bytes --]

>
>
>I've always wondered about the concept of useing wierd netmasks on private
>internal networks, just to thourouly confuse anyone who actually breaks
>into them (obsurity isn't security by itself, but any little bit you can
>add on and anything you can do that will break standard tools....)
>
>never had a chance to actually implement it however :-)
>
I think this "wird" netmask could on bigger firm's have an very simple 
explanation.

Example:
Firm with 2 Floors and 4 Subunits each subunit have an router with 
100MBit and the are numbered
serial when they was created.
1 Floor 10.0.0.0/16 10.2.0.0/24
2 Floor 10.1.0.0/16 10.3.0.0/24
Now the 100MBit backbone is replaced with fibber optik and one router 
per floor. And the admin is to lacy
to renumber 2 whole units. This is an simple example but i think from 
these direction it come. That it
is sometimes easyer to use wired netmask insteed of two or more routing 
entry's and agregation
wasn't choice because of change time.

Cu Thomas

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3349 bytes --]

Re: Arbitrary Netmasks

[Filipe Almeida]

True.
I attach interface (-i/-o) matches so I will only filter my networks. I 
wrote those lines of the top of my head so I forgot the -i/-o.

At 20:45 28-05-2002 +0200, Henrik Nordstrom wrote:
>Which is not generally a valid thing to assume.. the .255 and/or .0
>address may be in use on larger networks, especially if addresses are
>assigned dynamically using a large DHCP scope..
>
>
>On Tuesday 28 May 2002 16:07, Filipe Almeida wrote:
> > I usually use:
> >
> > iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP
> > iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP
> > iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP
> > iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP
> >
> > to stop routing of broadcasted packets. This works assuming you
> > only have 256 sized classes.