l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2001 Dec 30 16:57

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] ipchains/firewall question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] ipchains/firewall question


  • Subject: Re: [vox-tech] ipchains/firewall question
  • From: jdnewMAPSmil@dcn.davis.ca.us
  • Date: Wed, 18 Oct 2000 16:09:55 -0700
  • References: Pine.LNX.4.21.0010181525210.3814-100000@satan

On Wed, 18 Oct 2000, Peter Jay Salzman wrote:

> On Wed, 18 Oct 2000 jdnewmil@dcn.davis.ca.us wrote:
> 
> > > > By blocking 192.0.0.0/255.0.0.0 you are almost certainly blocking some
> > > > valid public ip addresses, since the class C private addresses are limited
> > > > to 256 networks of 256 hosts each, in the range 192.168.x.y.  You probably
> > > > want to deny 192.168.0.0/255.255.255.0.
> > > 
> > > Untrue.  The 255 in 255.0.0.0 locks all 8 bits in the first field,
> > > which means that it *only* applies to addresses in the 192 network.
> > > The range would be 192.0.0.0 - 192.255.255.255, not 223.255.255.255.
> > 
> > You misread what I said. Class C is DEFINED to be
> > 192.0.0.0-223.255.255.255, and other than this CONVENTION, has nothing to
> > do with the masks actually in use.  The range that Peter specified happens
> > to fall within this range, which means using 255.0.0.0 would be a rather
> > strange thing to do and 255.255.255.0 would be more conventional.
>  
> jeff, if someone came in on _any_ IP address whose first octet is 192, we
> don't want to talk to them.  wouldn't 255.0.0.0 be the correct thing to do?

Why don't you want to talk to them?  You're sure you don't want to talk
to, say, hplb.hpl.hp.com (192.6.10.2)? Or adobe-dns.adobe.com
(192.150.11.30)?

> we use 192.168.0.* for the internal network, but that's a different
> device, and we don't have any chains in use for that device.

The point would be to prevent spoofed packets from getting through your
firewall on the wrong interface.  What was your purpose in denying
192.0.0.0?

A different approach (rather more controllable, but more tedious to
setup) is to deny everything and then allow specific services or
ip sources in.  Take a look at freshmeat for sample firewalls... seawall
seems to be highly recommended.

> thanks!
> pete

You are welcome...

.. a puzzled jeff

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
Work:<JeffN@endecon.com>              Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.