where list of **reserved address**??? (IP addresses can *drop*)

R. DuFresne dufresne at sysinfo.com
Wed Apr 27 23:22:43 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 27 Apr 2005, Jason Opperisano wrote:

> On Wed, Apr 27, 2005 at 01:33:52PM -0400, R. DuFresne wrote:
>> The only real reason to have to have a bogon listing of rules in a
>> firewall are those firewalls that tend to be permissive.  Firewalls with
>> default deny policies should not have to deal with keeping an up-to-date
>> listing of the bogons, nor all the clutter and added overhead of rules to
>> disallow these addresses.
>
> that's an odd view.  the most common reason i see for people wanting to
> filter "bogons" is when you make services available to "any" in your DMZ
> (web, mail, dns, etc), and you want to filter out bogus src IP's as they
> are obviously spoofed and the sender is up to no good.  <rant>of course
> none of this would be necessary if f**king ISP's would just perform some
> f**king egress filtering, but i digress...</rant>.


agreed on the egess filtering and most reasons I've seen for not doing 
egrees on netwokr borders are bogus.  But again a dmz firewall tends to 
be more permissive then a default deny policy, so does not alter my stance 
on this.  DMZ tend to be 'danger zones' anyways, and have to be 
permissive...

>
> as to the security benefit this provides--i'd guess it's pretty
> negligible.  i've run firewalls that filter out the unassigned and
> reserved address spaces, and they do not get a lot of hits.  if i was
> going to spoof my src IP, i wouldn't use an unassigned or reserved block,
> i'd probably use another entity i didn't like...
>
> oh and PS--if you wanna do this--use a list (or write your own script)
> that summarizes the netblocks down, so you have ~40 rules instead of
> 100+.
>

What I was trying to get across, and this might be what you sir are also 
saying, is the resources for all the inactive bogons can really add to a 
rulebase, the traversal of that rulebase and the resources that it takes 
to maintain it in processing power, time and memory, let alone keeping the 
list up-to-date, not to mention the latency that parsing a huge rulebase 
can have on connectivity...

Of course, I'm talking permititer firewalling, sure perhaps their are 
reasons to have especially complicated rule sets internally, to prevent 
employee's from doing things they should not or only permitting finace 
folks to get to finace servers and such, but, some of the things folks are 
doing at their perimiters are not only messy, but, downright near to 
dangerous in the maintainance of the schemes trying to be employed.

But, please, excuse my rants, I've been fighting battles all day with 
vendors lacking clues and clients being absurd, all part of the daily 
<smile>...

My best to you and yours sir <and list>,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCcAKost+vzJSwZikRAhZ3AJ9h2qesncsduTc83B+DJMu4lX8HRgCfaTd+
CPyaITCpTVV17h5fNzkkkTc=
=Pv3J
-----END PGP SIGNATURE-----



More information about the netfilter mailing list