* Re: Arbitrary Netmasks [not found] <Pine.LNX.4.44.0205281532550.12350-100000@dlang.diginsite.com> @ 2002-05-29 5:22 ` Thomas Lussnig 0 siblings, 0 replies; 8+ messages in thread From: Thomas Lussnig @ 2002-05-29 5:22 UTC (permalink / raw) To: netfilter [-- Attachment #1: Type: text/plain, Size: 998 bytes --] > > >I've always wondered about the concept of useing wierd netmasks on private >internal networks, just to thourouly confuse anyone who actually breaks >into them (obsurity isn't security by itself, but any little bit you can >add on and anything you can do that will break standard tools....) > >never had a chance to actually implement it however :-) > I think this "wird" netmask could on bigger firm's have an very simple explanation. Example: Firm with 2 Floors and 4 Subunits each subunit have an router with 100MBit and the are numbered serial when they was created. 1 Floor 10.0.0.0/16 10.2.0.0/24 2 Floor 10.1.0.0/16 10.3.0.0/24 Now the 100MBit backbone is replaced with fibber optik and one router per floor. And the admin is to lacy to renumber 2 whole units. This is an simple example but i think from these direction it come. That it is sometimes easyer to use wired netmask insteed of two or more routing entry's and agregation wasn't choice because of change time. Cu Thomas [-- Attachment #2: S/MIME Cryptographic Signature --] [-- Type: application/x-pkcs7-signature, Size: 3349 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <3CF383A9.7000106@mytomorrow.de>]
* Re: Arbitrary Netmasks [not found] <3CF383A9.7000106@mytomorrow.de> @ 2002-05-28 14:07 ` Filipe Almeida 2002-05-28 18:45 ` Henrik Nordstrom 2002-05-28 15:03 ` Patrick Schaaf 2002-05-28 18:53 ` Henrik Nordstrom 2 siblings, 1 reply; 8+ messages in thread From: Filipe Almeida @ 2002-05-28 14:07 UTC (permalink / raw) To: Thomas Heinz; +Cc: netfilter-devel, netfilter I usually use: iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP to stop routing of broadcasted packets. This works assuming you only have 256 sized classes. At 15:18 28-05-2002 +0200, Thomas Heinz wrote: >Hi > >Netfilter supports arbitrary netmasks for IP addresses which is more >powerful than just those IP/x (0 <= x <= 32) expressions. >For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). > >Are masks that cannot be expressed in the IP/x schmeme (at least not in one >rule) used in practise? Are they used at all in firewall rulesets? > > >Thomas ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Arbitrary Netmasks 2002-05-28 14:07 ` Filipe Almeida @ 2002-05-28 18:45 ` Henrik Nordstrom 2002-05-29 9:57 ` Filipe Almeida 0 siblings, 1 reply; 8+ messages in thread From: Henrik Nordstrom @ 2002-05-28 18:45 UTC (permalink / raw) To: Filipe Almeida, Thomas Heinz; +Cc: netfilter-devel, netfilter Which is not generally a valid thing to assume.. the .255 and/or .0 address may be in use on larger networks, especially if addresses are assigned dynamically using a large DHCP scope.. On Tuesday 28 May 2002 16:07, Filipe Almeida wrote: > I usually use: > > iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP > iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP > iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP > iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP > > to stop routing of broadcasted packets. This works assuming you > only have 256 sized classes. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Arbitrary Netmasks 2002-05-28 18:45 ` Henrik Nordstrom @ 2002-05-29 9:57 ` Filipe Almeida 0 siblings, 0 replies; 8+ messages in thread From: Filipe Almeida @ 2002-05-29 9:57 UTC (permalink / raw) To: Henrik Nordstrom; +Cc: Thomas Heinz, netfilter-devel, netfilter True. I attach interface (-i/-o) matches so I will only filter my networks. I wrote those lines of the top of my head so I forgot the -i/-o. At 20:45 28-05-2002 +0200, Henrik Nordstrom wrote: >Which is not generally a valid thing to assume.. the .255 and/or .0 >address may be in use on larger networks, especially if addresses are >assigned dynamically using a large DHCP scope.. > > >On Tuesday 28 May 2002 16:07, Filipe Almeida wrote: > > I usually use: > > > > iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP > > iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP > > iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP > > iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP > > > > to stop routing of broadcasted packets. This works assuming you > > only have 256 sized classes. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Arbitrary Netmasks [not found] <3CF383A9.7000106@mytomorrow.de> 2002-05-28 14:07 ` Filipe Almeida @ 2002-05-28 15:03 ` Patrick Schaaf 2002-05-28 18:53 ` Henrik Nordstrom 2 siblings, 0 replies; 8+ messages in thread From: Patrick Schaaf @ 2002-05-28 15:03 UTC (permalink / raw) To: Thomas Heinz; +Cc: netfilter Hi, (removed netfilter-devel from the headers, this is not a development Q) > Netfilter supports arbitrary netmasks for IP addresses which is more > powerful than just those IP/x (0 <= x <= 32) expressions. > For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). > > Are masks that cannot be expressed in the IP/x schmeme (at least not in one > rule) used in practise? Are they used at all in firewall rulesets? They are used in practise. I have been using them with ipfwadm, and I am using them with iptables. What I use them for, is "statistical multiplexing" based on one or more of the low bits (but not the lowest!) of IP addresses. For example, I have a dual-processor system with two squid processes, and want to distribute a number of incoming clients evenly (and deterministically) over the two squid processes. For godgiven reasons, under light load, the "even" client IPs are preferred over the "odd" client IPs. To get a good distribution for both light load and full load, I look at the second lowest bit of the client IP address to determine where to REDIRECT to, like this: iptables -t nat -A PREROUTING -s 0.0.0.0/0.0.0.2 -j REDIRECT --to-port 1234 iptables -t nat -A PREROUTING -s 0.0.0.2/0.0.0.2 -j REDIRECT --to-port 1235 Another real world example I have seen in use in Cisco access-lists, where the noncontigous mask works just like in iptables, is to pick out "the same local ip" in a range of subnets. Imagine you have a number of LANs with IP addresses 10.23.x.y/16, and y==1 is your default gateway in every LAN. Given 10.23.0.1/255.255.0.255, you have a single-rule expression for "all gateways in my LANs", which is preferrable (if you manage to keep to the scheme!) to a sequential list of rules, one per LAN. best regards Patrick ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Arbitrary Netmasks [not found] <3CF383A9.7000106@mytomorrow.de> 2002-05-28 14:07 ` Filipe Almeida 2002-05-28 15:03 ` Patrick Schaaf @ 2002-05-28 18:53 ` Henrik Nordstrom 2 siblings, 0 replies; 8+ messages in thread From: Henrik Nordstrom @ 2002-05-28 18:53 UTC (permalink / raw) To: Thomas Heinz, netfilter On Tuesday 28 May 2002 15:18, Thomas Heinz wrote: > Netfilter supports arbitrary netmasks for IP addresses which is > more powerful than just those IP/x (0 <= x <= 32) expressions. > For example one could use IP/255.0.255.255 (IP/23.13.42.0 would > also work ;-). Yes, this is the fastest method when matching filter expressions.. > Are masks that cannot be expressed in the IP/x schmeme (at least > not in one rule) used in practise? Are they used at all in firewall > rulesets? Not in real life networks, but such masks are useful in certain types of expressions, for example load balancing based on destination, or as wildcard matches for matching "all your routers / servers / whatever" assuming you have a well structured addressing scheme in your own networks.. Regards Henrik ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20020528132402.GN9802@ns>]
* Re: Arbitrary Netmasks [not found] <20020528132402.GN9802@ns> @ 2002-05-28 13:30 ` Joost Remijn 2002-05-28 13:35 ` Thomas Heinz 0 siblings, 1 reply; 8+ messages in thread From: Joost Remijn @ 2002-05-28 13:30 UTC (permalink / raw) To: Stephen Frost; +Cc: Thomas Heinz, netfilter-devel, netfilter On Tue, 28 May 2002, Stephen Frost wrote: > * Thomas Heinz (josef.k@mytomorrow.de) wrote: > > Netfilter supports arbitrary netmasks for IP addresses which is more > > powerful than just those IP/x (0 <= x <= 32) expressions. > > For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work > > ;-). > > > > Are masks that cannot be expressed in the IP/x schmeme (at least not in one > > rule) used in practise? Are they used at all in firewall rulesets? > > I'm pretty confident they're not valid and don't make sense. But something like IP/255.255.255.192 is still valid and is probably used quite a lot. At least i use it. It's easy to use a $NETMASK variable in scripts for this. Joost ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Arbitrary Netmasks 2002-05-28 13:30 ` Joost Remijn @ 2002-05-28 13:35 ` Thomas Heinz 0 siblings, 0 replies; 8+ messages in thread From: Thomas Heinz @ 2002-05-28 13:35 UTC (permalink / raw) To: netfilter-devel, netfilter Hi Joost You wrote: > But something like IP/255.255.255.192 is still valid and is probably used > quite a lot. At least i use it. It's easy to use a $NETMASK variable in > scripts for this. IP/255.255.255.192 == IP/26 Thomas ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2002-05-29 9:57 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <Pine.LNX.4.44.0205281532550.12350-100000@dlang.diginsite.com>
2002-05-29 5:22 ` Arbitrary Netmasks Thomas Lussnig
[not found] <3CF383A9.7000106@mytomorrow.de>
2002-05-28 14:07 ` Filipe Almeida
2002-05-28 18:45 ` Henrik Nordstrom
2002-05-29 9:57 ` Filipe Almeida
2002-05-28 15:03 ` Patrick Schaaf
2002-05-28 18:53 ` Henrik Nordstrom
[not found] <20020528132402.GN9802@ns>
2002-05-28 13:30 ` Joost Remijn
2002-05-28 13:35 ` Thomas Heinz
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.