where list of **reserved address**??? (IP addresses can *drop*)

Jason Opperisano opie at 817west.com
Wed Apr 27 20:18:49 CEST 2005


On Wed, Apr 27, 2005 at 01:33:52PM -0400, R. DuFresne wrote:
> The only real reason to have to have a bogon listing of rules in a 
> firewall are those firewalls that tend to be permissive.  Firewalls with 
> default deny policies should not have to deal with keeping an up-to-date 
> listing of the bogons, nor all the clutter and added overhead of rules to 
> disallow these addresses.

that's an odd view.  the most common reason i see for people wanting to
filter "bogons" is when you make services available to "any" in your DMZ
(web, mail, dns, etc), and you want to filter out bogus src IP's as they
are obviously spoofed and the sender is up to no good.  <rant>of course
none of this would be necessary if f**king ISP's would just perform some
f**king egress filtering, but i digress...</rant>.

as to the security benefit this provides--i'd guess it's pretty
negligible.  i've run firewalls that filter out the unassigned and
reserved address spaces, and they do not get a lot of hits.  if i was
going to spoof my src IP, i wouldn't use an unassigned or reserved block,
i'd probably use another entity i didn't like...

oh and PS--if you wanna do this--use a list (or write your own script)
that summarizes the netblocks down, so you have ~40 rules instead of 
100+.

-j

--
"Peter: Hey, Lois, the lost my job smells great. Hey, Meg, could
 you pass me the fired my ass for negligence? 
 Lois: Peter, are you OK?
 Peter: Great. I haven't got a job in the world."
        --Family Guy



More information about the netfilter mailing list