From owner-freebsd-security Fri Dec 1 11:54:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.gti.net (apollo.gti.net [199.171.27.7]) by hub.freebsd.org (Postfix) with ESMTP id 954E437B400 for ; Fri, 1 Dec 2000 11:54:27 -0800 (PST) Received: from fuckoff (intra-gw.gti.net [206.67.179.20]) by apollo.gti.net (mail) with SMTP id C607E1459EA; Fri, 1 Dec 2000 14:54:26 -0500 (EST) Message-ID: <006b01c05bd0$3a06e730$0501a8c0@fuckoff> Reply-To: "Shadow" From: "Shadow" To: "Rodney W. Grimes" , "Igor Roshchin" Cc: References: <200011301820.KAA45049@gndrsh.dnsmgr.net> Subject: Re: Danger Ports Date: Fri, 1 Dec 2000 14:52:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Not to get off topic, but try null routes instead of access lists on routers for the destination filtering; it eats a lot less CPU time. ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ip route 10.0.0.0 255.0.0.0 Null0 -Shadow Sr. Systems Administrator, Global Telecom Inc. shadow@gti.net ----- Original Message ----- From: "Rodney W. Grimes" To: "Igor Roshchin" Cc: Sent: Thursday, November 30, 2000 1:20 PM Subject: Re: Danger Ports > > > From: "Rodney W. Grimes" > > > Subject: Re: Danger Ports > > > Date: Thu, 30 Nov 2000 09:43:57 -0800 (PST) > > > > > > Please do all the rest of us a favor and filter the > > > packets to reserved networks, not just from them. > > > > > > > this is right out of the ACL for my core router.. > > > > > > > > ! reserved networks > > > > access-list 110 deny ip 127.0.0.0 0.0.0.255 any log > > > > access-list 110 deny ip 10.0.0.0 0.255.255.255 any log > > > > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > > > > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > > > > access-list 110 deny ip 192.168.0.0 0.0.255.255 any log > > > > > > access-list 110 deny ip any 127.0.0.0 0.0.0.255 log > > > access-list 110 deny ip any 10.0.0.0 0.255.255.255 log > > > access-list 110 deny ip any 172.16.0.0 0.15.255.255 log > > > access-list 110 deny ip any 172.31.0.0 0.0.255.255 log > > > access-list 110 deny ip any 192.168.0.0 0.0.255.255 log > > > > > > > > > > I am not sure if filtering some reserved networks would not stop legible > > traffic for some people. E.g. Home.net (@Home, @Work) > > is using 10.0.0.0 to number their aggregation routers. Thus its > > users will probably suffer if they block this network at the firewall. > > No they won't suffer, reserved networks are reserved, blocking them > at AS boundaries is a BCP, both source and desitnation address. It > does do some funny things to traceroute, but it doesn't effect normal > operations: > traceroute to 199.172.150.100 (199.172.150.100), 30 hops max, 40 byte packets > 1 12.127.217.157 (12.127.217.157) 9.037 ms 8.890 ms 8.914 ms > 2 gbr1-p20.wswdc.ip.att.net (12.123.194.130) 15.247 ms 15.217 ms 15.454 ms > 3 gbr3-p70.wswdc.ip.att.net (12.122.1.157) 16.046 ms 15.984 ms 16.376 ms > 4 gbr3-p80.sl9mo.ip.att.net (12.122.2.145) 31.230 ms 31.205 ms 31.215 ms > 5 gbr3-p20.sffca.ip.att.net (12.122.2.74) 71.592 ms 71.609 ms 83.002 ms > 6 gbr1-p50.sffca.ip.att.net (12.122.1.162) 73.615 ms 70.807 ms 70.809 ms > 7 ar4-a300s3.sffca.ip.att.net (12.123.12.89) 72.431 ms 72.168 ms 72.241 ms > 8 12.126.204.18 (12.126.204.18) 72.468 ms 78.563 ms 74.011 ms > 9 * * * > 10 * * * > 11 nblb1.dmz.home.net (199.172.150.100) 72.997 ms 72.785 ms 72.876 ms > > Notice what happened to the 192.168.*.* addresses.... > > > Regards, > > > > Igor > > > > PS. > > Here is how a traceroute output looks for a client of @Work: > > 1 local router ... > > 2 10.252.4.49 (10.252.4.49) 16.012 ms 12.834 ms 12.852 ms > > 3 10.252.6.1 (10.252.6.1) 11.823 ms 7.354 ms 4.556 ms > > 4 c1-pos6-0.hrfrct1.home.net (24.7.74.65) 3.496 ms 15.956 ms 2.303 ms > > 5 c1-pos6-0.nycmny1.home.net (24.7.69.2) 5.043 ms 7.764 ms 15.248 ms > > 6 c1-pos8-0.cmdnnj1.home.net (24.7.65.229) 15.514 ms 22.998 ms 9.477 ms > > 7 24.7.69.33 (24.7.69.33) 66.412 ms 66.057 ms 79.060 ms > > 8 24.7.76.81 (24.7.76.81) 77.324 ms 65.984 ms 77.516 ms > > 9 bb1-pos1-0.rwc1.sfba.home.net (24.7.74.118) 66.701 ms 78.673 ms 66.758 ms > > 10 bfr-ge0-0.excite.com (24.7.70.34) 67.170 ms 66.809 ms 77.240 ms > > 11 192.168.249.139 (192.168.249.139) 81.213 ms 68.489 ms 81.637 ms > > 12 192.168.251.4 (192.168.251.4) 67.023 ms 164.883 ms 173.432 ms > > 13 nblb1.dmz.home.net (199.172.150.100) 179.639 ms 178.223 ms 197.902 ms > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message