Date: Sun, 4 May 2003 12:13:22 -0700 (PDT) From: "mario" <mario@schmut.com> To: <chuck@codefab.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Netblocks to filter, was: Re: [fw-wiz] Protecting a datacentre with a firewall Message-ID: <1676.192.168.23.97.1052075602.squirrel@webmail.schmut.com> In-Reply-To: <3EB53C74.40500@codefab.com> References: <3EB53C74.40500@codefab.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I run a nightly script that diffs these against yesterdays version. http://www.rfc-editor.org/rfc/rfc3330.txt http://www.iana.org/assignments/ipv4-address-space I adjust my rule sets as these change. BTW i think these are legal. 049/8 May 94 Joint Technical Command (Returned to IANA Mar 98) 050/8 May 94 Joint Technical Command (Returned to IANA Mar 98) > I'd dug up some information about invalid IP network blocks to filter > from a discussion on the firewall-wizards mailing list, and converted it > to a set of IPFW(2) rules: > > [ ... ] > And let's raise the bar a little, and see how many firewall vendors > handle bogus netblocks properly? There's a nice resource here: > http://www.cymru.com/Bogons/index.html which says: > > | How much does it help to filter the bogons? In one study conducted by > | Rob Thomas of a frequently attacked site, fully 60% of the naughty | > packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.). > > Does Zorp know about and filter these properly? Does Cisco's PIX? > > I've been blocking many of them already, but here's my updated set of > IPFW2 rules, with RFC-1918, autoconf, and multicast addresses commented > out. I'm doing NAT or divert sockets in some cases and have > per-interface directional rules, but season to taste: > > #### > # Stop other bogus networks (often used by DDoS attacks) > > add deny log all from 0.0.0.0/7 to any > add deny log all from 2.0.0.0/8 to any > add deny log all from 5.0.0.0/8 to any > add deny log all from 7.0.0.0/8 to any > #add deny log all from 10.0.0.0/8 to any > add deny log all from 23.0.0.0/8 to any > add deny log all from 27.0.0.0/8 to any > add deny log all from 31.0.0.0/8 to any > add deny log all from 36.0.0.0/7 to any > add deny log all from 39.0.0.0/8 to any > add deny log all from 41.0.0.0/8 to any > add deny log all from 42.0.0.0/8 to any > add deny log all from 49.0.0.0/8 to any > add deny log all from 50.0.0.0/8 to any > add deny log all from 58.0.0.0/7 to any > add deny log all from 70.0.0.0/7 to any > add deny log all from 72.0.0.0/5 to any > add deny log all from 83.0.0.0/8 to any > add deny log all from 84.0.0.0/6 to any > add deny log all from 88.0.0.0/5 to any > add deny log all from 96.0.0.0/3 to any > #add deny log all from 169.254.0.0/16 to any > #add deny log all from 172.16.0.0/12 to any > add deny log all from 173.0.0.0/8 to any > add deny log all from 174.0.0.0/7 to any > add deny log all from 176.0.0.0/5 to any > add deny log all from 184.0.0.0/6 to any > add deny log all from 189.0.0.0/8 to any > add deny log all from 190.0.0.0/8 to any > add deny log all from 192.0.2.0/24 to any > #add deny log all from 192.168.0.0/16 to any > add deny log all from 197.0.0.0/8 to any > add deny log all from 198.18.0.0/15 to any > add deny log all from 223.0.0.0/8 to any > #add deny log all from 224.0.0.0/3 to any > > -- > -Chuck > > PS: If this information is valid and seems useful to other people, maybe > I'll send-pr these as a set of suggested changes for /etc/rc.firewall. > > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" my 2 cents mario;> ---------------------------------------------------- Do you schmut!? http://www.schmut.com :) ... then again for a real web site you could try: House Of Sites http://www.HouseOfSites.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1676.192.168.23.97.1052075602.squirrel>