From owner-freebsd-isp@FreeBSD.ORG Sun May 4 12:12:42 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 961ED37B401 for ; Sun, 4 May 2003 12:12:42 -0700 (PDT) Received: from mail.speakeasy.net (mail12.speakeasy.net [216.254.0.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id E357243FDD for ; Sun, 4 May 2003 12:12:41 -0700 (PDT) (envelope-from mario@schmut.com) Received: (qmail 15090 invoked from network); 4 May 2003 19:12:48 -0000 Received: from unknown (HELO schmut.com) ([66.92.219.142]) (envelope-sender ) by mail12.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 4 May 2003 19:12:48 -0000 Received: from 192.168.23.97 (SquirrelMail authenticated user mario@schmut.com) by webmail.schmut.com with HTTP; Sun, 4 May 2003 12:13:22 -0700 (PDT) Message-ID: <1676.192.168.23.97.1052075602.squirrel@webmail.schmut.com> Date: Sun, 4 May 2003 12:13:22 -0700 (PDT) From: "mario" To: In-Reply-To: <3EB53C74.40500@codefab.com> References: <3EB53C74.40500@codefab.com> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.9) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-isp@FreeBSD.ORG Subject: Re: Netblocks to filter, was: Re: [fw-wiz] Protecting a datacentre with a firewall X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mario@schmut.com List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2003 19:12:43 -0000 I run a nightly script that diffs these against yesterdays version. http://www.rfc-editor.org/rfc/rfc3330.txt http://www.iana.org/assignments/ipv4-address-space I adjust my rule sets as these change. BTW i think these are legal. 049/8 May 94 Joint Technical Command (Returned to IANA Mar 98) 050/8 May 94 Joint Technical Command (Returned to IANA Mar 98) > I'd dug up some information about invalid IP network blocks to filter > from a discussion on the firewall-wizards mailing list, and converted it > to a set of IPFW(2) rules: > > [ ... ] > And let's raise the bar a little, and see how many firewall vendors > handle bogus netblocks properly? There's a nice resource here: > http://www.cymru.com/Bogons/index.html which says: > > | How much does it help to filter the bogons? In one study conducted by > | Rob Thomas of a frequently attacked site, fully 60% of the naughty | > packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.). > > Does Zorp know about and filter these properly? Does Cisco's PIX? > > I've been blocking many of them already, but here's my updated set of > IPFW2 rules, with RFC-1918, autoconf, and multicast addresses commented > out. I'm doing NAT or divert sockets in some cases and have > per-interface directional rules, but season to taste: > > #### > # Stop other bogus networks (often used by DDoS attacks) > > add deny log all from 0.0.0.0/7 to any > add deny log all from 2.0.0.0/8 to any > add deny log all from 5.0.0.0/8 to any > add deny log all from 7.0.0.0/8 to any > #add deny log all from 10.0.0.0/8 to any > add deny log all from 23.0.0.0/8 to any > add deny log all from 27.0.0.0/8 to any > add deny log all from 31.0.0.0/8 to any > add deny log all from 36.0.0.0/7 to any > add deny log all from 39.0.0.0/8 to any > add deny log all from 41.0.0.0/8 to any > add deny log all from 42.0.0.0/8 to any > add deny log all from 49.0.0.0/8 to any > add deny log all from 50.0.0.0/8 to any > add deny log all from 58.0.0.0/7 to any > add deny log all from 70.0.0.0/7 to any > add deny log all from 72.0.0.0/5 to any > add deny log all from 83.0.0.0/8 to any > add deny log all from 84.0.0.0/6 to any > add deny log all from 88.0.0.0/5 to any > add deny log all from 96.0.0.0/3 to any > #add deny log all from 169.254.0.0/16 to any > #add deny log all from 172.16.0.0/12 to any > add deny log all from 173.0.0.0/8 to any > add deny log all from 174.0.0.0/7 to any > add deny log all from 176.0.0.0/5 to any > add deny log all from 184.0.0.0/6 to any > add deny log all from 189.0.0.0/8 to any > add deny log all from 190.0.0.0/8 to any > add deny log all from 192.0.2.0/24 to any > #add deny log all from 192.168.0.0/16 to any > add deny log all from 197.0.0.0/8 to any > add deny log all from 198.18.0.0/15 to any > add deny log all from 223.0.0.0/8 to any > #add deny log all from 224.0.0.0/3 to any > > -- > -Chuck > > PS: If this information is valid and seems useful to other people, maybe > I'll send-pr these as a set of suggested changes for /etc/rc.firewall. > > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" my 2 cents mario;> ---------------------------------------------------- Do you schmut!? http://www.schmut.com :) ... then again for a real web site you could try: House Of Sites http://www.HouseOfSites.net