Date: Fri, 1 Dec 2000 14:52:23 -0500 From: "Shadow" <shadow@gti.net> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, "Igor Roshchin" <str@giganda.komkon.org> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Danger Ports Message-ID: <006b01c05bd0$3a06e730$0501a8c0@fuckoff> References: <200011301820.KAA45049@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
<digress> Not to get off topic, but try null routes instead of access lists on routers for the destination filtering; it eats a lot less CPU time. ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ip route 10.0.0.0 255.0.0.0 Null0 </digress> -Shadow Sr. Systems Administrator, Global Telecom Inc. shadow@gti.net ----- Original Message ----- From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: "Igor Roshchin" <str@giganda.komkon.org> Cc: <freebsd-security@FreeBSD.ORG> Sent: Thursday, November 30, 2000 1:20 PM Subject: Re: Danger Ports > > > From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> > > > Subject: Re: Danger Ports > > > Date: Thu, 30 Nov 2000 09:43:57 -0800 (PST) > > > > > > Please do all the rest of us a favor and filter the > > > packets to reserved networks, not just from them. > > > > > > > this is right out of the ACL for my core router.. > > > > > > > > ! reserved networks > > > > access-list 110 deny ip 127.0.0.0 0.0.0.255 any log > > > > access-list 110 deny ip 10.0.0.0 0.255.255.255 any log > > > > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > > > > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > > > > access-list 110 deny ip 192.168.0.0 0.0.255.255 any log > > > > > > access-list 110 deny ip any 127.0.0.0 0.0.0.255 log > > > access-list 110 deny ip any 10.0.0.0 0.255.255.255 log > > > access-list 110 deny ip any 172.16.0.0 0.15.255.255 log > > > access-list 110 deny ip any 172.31.0.0 0.0.255.255 log > > > access-list 110 deny ip any 192.168.0.0 0.0.255.255 log > > > > > > > > > > I am not sure if filtering some reserved networks would not stop legible > > traffic for some people. E.g. Home.net (@Home, @Work) > > is using 10.0.0.0 to number their aggregation routers. Thus its > > users will probably suffer if they block this network at the firewall. > > No they won't suffer, reserved networks are reserved, blocking them > at AS boundaries is a BCP, both source and desitnation address. It > does do some funny things to traceroute, but it doesn't effect normal > operations: > traceroute to 199.172.150.100 (199.172.150.100), 30 hops max, 40 byte packets > 1 12.127.217.157 (12.127.217.157) 9.037 ms 8.890 ms 8.914 ms > 2 gbr1-p20.wswdc.ip.att.net (12.123.194.130) 15.247 ms 15.217 ms 15.454 ms > 3 gbr3-p70.wswdc.ip.att.net (12.122.1.157) 16.046 ms 15.984 ms 16.376 ms > 4 gbr3-p80.sl9mo.ip.att.net (12.122.2.145) 31.230 ms 31.205 ms 31.215 ms > 5 gbr3-p20.sffca.ip.att.net (12.122.2.74) 71.592 ms 71.609 ms 83.002 ms > 6 gbr1-p50.sffca.ip.att.net (12.122.1.162) 73.615 ms 70.807 ms 70.809 ms > 7 ar4-a300s3.sffca.ip.att.net (12.123.12.89) 72.431 ms 72.168 ms 72.241 ms > 8 12.126.204.18 (12.126.204.18) 72.468 ms 78.563 ms 74.011 ms > 9 * * * > 10 * * * > 11 nblb1.dmz.home.net (199.172.150.100) 72.997 ms 72.785 ms 72.876 ms > > Notice what happened to the 192.168.*.* addresses.... > > > Regards, > > > > Igor > > > > PS. > > Here is how a traceroute output looks for a client of @Work: > > 1 local router ... > > 2 10.252.4.49 (10.252.4.49) 16.012 ms 12.834 ms 12.852 ms > > 3 10.252.6.1 (10.252.6.1) 11.823 ms 7.354 ms 4.556 ms > > 4 c1-pos6-0.hrfrct1.home.net (24.7.74.65) 3.496 ms 15.956 ms 2.303 ms > > 5 c1-pos6-0.nycmny1.home.net (24.7.69.2) 5.043 ms 7.764 ms 15.248 ms > > 6 c1-pos8-0.cmdnnj1.home.net (24.7.65.229) 15.514 ms 22.998 ms 9.477 ms > > 7 24.7.69.33 (24.7.69.33) 66.412 ms 66.057 ms 79.060 ms > > 8 24.7.76.81 (24.7.76.81) 77.324 ms 65.984 ms 77.516 ms > > 9 bb1-pos1-0.rwc1.sfba.home.net (24.7.74.118) 66.701 ms 78.673 ms 66.758 ms > > 10 bfr-ge0-0.excite.com (24.7.70.34) 67.170 ms 66.809 ms 77.240 ms > > 11 192.168.249.139 (192.168.249.139) 81.213 ms 68.489 ms 81.637 ms > > 12 192.168.251.4 (192.168.251.4) 67.023 ms 164.883 ms 173.432 ms > > 13 nblb1.dmz.home.net (199.172.150.100) 179.639 ms 178.223 ms 197.902 ms > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006b01c05bd0$3a06e730$0501a8c0>