Date: Thu, 30 Nov 2000 10:20:57 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: str@giganda.komkon.org (Igor Roshchin) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Danger Ports Message-ID: <200011301820.KAA45049@gndrsh.dnsmgr.net> In-Reply-To: <200011301802.NAA27215@giganda.komkon.org> from Igor Roshchin at "Nov 30, 2000 01:02:44 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> > > Subject: Re: Danger Ports > > Date: Thu, 30 Nov 2000 09:43:57 -0800 (PST) > > > > Please do all the rest of us a favor and filter the > > packets to reserved networks, not just from them. > > > > > this is right out of the ACL for my core router.. > > > > > > ! reserved networks > > > access-list 110 deny ip 127.0.0.0 0.0.0.255 any log > > > access-list 110 deny ip 10.0.0.0 0.255.255.255 any log > > > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > > > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > > > access-list 110 deny ip 192.168.0.0 0.0.255.255 any log > > > > access-list 110 deny ip any 127.0.0.0 0.0.0.255 log > > access-list 110 deny ip any 10.0.0.0 0.255.255.255 log > > access-list 110 deny ip any 172.16.0.0 0.15.255.255 log > > access-list 110 deny ip any 172.31.0.0 0.0.255.255 log > > access-list 110 deny ip any 192.168.0.0 0.0.255.255 log > > > > > > I am not sure if filtering some reserved networks would not stop legible > traffic for some people. E.g. Home.net (@Home, @Work) > is using 10.0.0.0 to number their aggregation routers. Thus its > users will probably suffer if they block this network at the firewall. No they won't suffer, reserved networks are reserved, blocking them at AS boundaries is a BCP, both source and desitnation address. It does do some funny things to traceroute, but it doesn't effect normal operations: traceroute to 199.172.150.100 (199.172.150.100), 30 hops max, 40 byte packets 1 12.127.217.157 (12.127.217.157) 9.037 ms 8.890 ms 8.914 ms 2 gbr1-p20.wswdc.ip.att.net (12.123.194.130) 15.247 ms 15.217 ms 15.454 ms 3 gbr3-p70.wswdc.ip.att.net (12.122.1.157) 16.046 ms 15.984 ms 16.376 ms 4 gbr3-p80.sl9mo.ip.att.net (12.122.2.145) 31.230 ms 31.205 ms 31.215 ms 5 gbr3-p20.sffca.ip.att.net (12.122.2.74) 71.592 ms 71.609 ms 83.002 ms 6 gbr1-p50.sffca.ip.att.net (12.122.1.162) 73.615 ms 70.807 ms 70.809 ms 7 ar4-a300s3.sffca.ip.att.net (12.123.12.89) 72.431 ms 72.168 ms 72.241 ms 8 12.126.204.18 (12.126.204.18) 72.468 ms 78.563 ms 74.011 ms 9 * * * 10 * * * 11 nblb1.dmz.home.net (199.172.150.100) 72.997 ms 72.785 ms 72.876 ms Notice what happened to the 192.168.*.* addresses.... > Regards, > > Igor > > PS. > Here is how a traceroute output looks for a client of @Work: > 1 local router ... > 2 10.252.4.49 (10.252.4.49) 16.012 ms 12.834 ms 12.852 ms > 3 10.252.6.1 (10.252.6.1) 11.823 ms 7.354 ms 4.556 ms > 4 c1-pos6-0.hrfrct1.home.net (24.7.74.65) 3.496 ms 15.956 ms 2.303 ms > 5 c1-pos6-0.nycmny1.home.net (24.7.69.2) 5.043 ms 7.764 ms 15.248 ms > 6 c1-pos8-0.cmdnnj1.home.net (24.7.65.229) 15.514 ms 22.998 ms 9.477 ms > 7 24.7.69.33 (24.7.69.33) 66.412 ms 66.057 ms 79.060 ms > 8 24.7.76.81 (24.7.76.81) 77.324 ms 65.984 ms 77.516 ms > 9 bb1-pos1-0.rwc1.sfba.home.net (24.7.74.118) 66.701 ms 78.673 ms 66.758 ms > 10 bfr-ge0-0.excite.com (24.7.70.34) 67.170 ms 66.809 ms 77.240 ms > 11 192.168.249.139 (192.168.249.139) 81.213 ms 68.489 ms 81.637 ms > 12 192.168.251.4 (192.168.251.4) 67.023 ms 164.883 ms 173.432 ms > 13 nblb1.dmz.home.net (199.172.150.100) 179.639 ms 178.223 ms 197.902 ms > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011301820.KAA45049>