From owner-freebsd-security Tue Jan 25 1:26:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8F7E415092 for ; Tue, 25 Jan 2000 01:26:29 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id BAA70323; Tue, 25 Jan 2000 01:26:26 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001250926.BAA70323@gndrsh.dnsmgr.net> Subject: Re: more complete ipfw rules In-Reply-To: <4.1.20000124201245.00962220@mail.thegrid.net> from The Mad Scientist at "Jan 24, 2000 08:51:27 pm" To: madscientist@thegrid.net (The Mad Scientist) Date: Tue, 25 Jan 2000 01:26:26 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ... > I have this commented-out line in my ruleset. > #$fwcmd add 550 deny log ip from 169.254.0.0/16 to any in via ${out_if} > Don't quite remember what it's for. I hope it's not another wasted class > B. Can anyone enlighten me? It is another wasted class B, it is not in any global bgp4 view I can find, and disallowed as either src or dst on many a border router. I seem to recall some of either the Microsoft or Novell software uses them on a local network to run strange protocols over IP that don't need to be global routed, but can't find any reference notes to them here. > watchtower:/root# whois -a 169.254.0.0 > Internet Assigned Numbers Authority (IANA) > (NETBLK-LINKLOCAL) > For use with Link Local Networks > Information Sciences Institute > University of Southern California > 4676 Admiralty Way, Suite 330 > Marina del Rey, CA 90292-6695 > > Netname: LINKLOCAL > Netblock: 169.254.0.0 - 169.254.255.255 ... You chopped off the important detail: Domain System inverse mapping provided by: BLACKHOLE.ISI.EDU 128.9.64.26 Generally IP that you find with this as the name server should have just that done to them at bondaries between AS's, both as a source and destination address! -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message