l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2001 Dec 30 16:57

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] ipchains/firewall question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] ipchains/firewall question

  • Subject: Re: [vox-tech] ipchains/firewall question
  • From: jdnewMAPSmil@dcn.davis.ca.us
  • Date: Wed, 18 Oct 2000 16:09:55 -0700
  • References: Pine.LNX.4.21.0010181525210.3814-100000@satan

On Wed, 18 Oct 2000, Peter Jay Salzman wrote:

> On Wed, 18 Oct 2000 jdnewmil@dcn.davis.ca.us wrote:
> > > > By blocking you are almost certainly blocking some
> > > > valid public ip addresses, since the class C private addresses are limited
> > > > to 256 networks of 256 hosts each, in the range 192.168.x.y.  You probably
> > > > want to deny
> > > 
> > > Untrue.  The 255 in locks all 8 bits in the first field,
> > > which means that it *only* applies to addresses in the 192 network.
> > > The range would be -, not
> > 
> > You misread what I said. Class C is DEFINED to be
> >, and other than this CONVENTION, has nothing to
> > do with the masks actually in use.  The range that Peter specified happens
> > to fall within this range, which means using would be a rather
> > strange thing to do and would be more conventional.
> jeff, if someone came in on _any_ IP address whose first octet is 192, we
> don't want to talk to them.  wouldn't be the correct thing to do?

Why don't you want to talk to them?  You're sure you don't want to talk
to, say, hplb.hpl.hp.com ( Or adobe-dns.adobe.com

> we use 192.168.0.* for the internal network, but that's a different
> device, and we don't have any chains in use for that device.

The point would be to prevent spoofed packets from getting through your
firewall on the wrong interface.  What was your purpose in denying

A different approach (rather more controllable, but more tedious to
setup) is to deny everything and then allow specific services or
ip sources in.  Take a look at freshmeat for sample firewalls... seawall
seems to be highly recommended.

> thanks!
> pete

You are welcome...

.. a puzzled jeff

Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
Work:<JeffN@endecon.com>              Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.