l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2001 Dec 30 16:57

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] ipchains/firewall question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] ipchains/firewall question



On Wed, Oct 18, 2000 at 04:32:18PM -0700, Peter Jay Salzman wrote:
> yes, i'm absolutely, positively fantstically, unequivocally, super-duper sure.
> i don't even want to talk to support1.adobe.com (192.150.11.35).
> 
> i hope i convinced you i don't want to talk with *anyone* whose ip address
> starts with 192.   i would go even farther -- i don't even want to talk to
> anyone with an ip address of 19*.*.*.
> 
> did i forget to mention to you that i really don't want to talk to any ip
> address that begins with 192?  :)
> 
> why not?  if nobody comes a-knockin', nobody here wants to listen...
> 
> that's what i plan to do.  it'll take awhile to compile the addresses, but
> in the meantime...

With all due respect...

I cannot fathom why you are discussing blocking 192.0.0.0/8 or 19*.*.*.*.
This indicates a basic lack of understanding about IP routing, netmasks,
and (drum roll) an appropriate network design.

Either you are being silly (which makes for a short career in the
firewalls field), or you really shouldn't be building firewall rulesets.

As Micah mentioned the internal network space is 192.168.0.0/16 and
should be blocked from reaching the world, or the world reaching in to
you.  Other spaces are 10.0.0.0/8 and 172.16.0.0/26.

Also, rather than removing access from 19*.*.*.*, you should probably
focus on what you will allow, with a default of deny.

As such, 
  block traffic to or from the following networks via any public
    interface:
        10.0.0.0/8
        172.16.0.0/16
        192.168.0.0/16
  Install a default INPUT policy of DENY.
  Install a ACCEPT rule for your management IP ranges
  CONSULT WITH AN EXPERT

Notice that last one?

And for completeness your proposed ruleset is totally and completely
wrong (it correct to the question you asked, but wrong from a proper
network design standpoint).  Here it is again:

  ipchains -A input -s 192.0.0.0/255.0.0.0 -i eth0 -j DENY

According to your design eth0 is the public side.  Blocking packets
sourced from 192.0.0.0/8 is pointless.  You want to block packets destined
for your internal network of 192.168.0.0/24.

The following ruleset snippet is more correct, though not anywhere near
complete:
  ipchains -F input
  ipchains -P input DENY
  # block stuff we should never even receive    # REDUNDANT given policy
  ipchains -A input -s 10.0.0.0/8 -i eth0 -j DENY
  ipchains -A input -s 172.16.0.0/16 -i eth0 -j DENY
  ipchains -A input -s 192.168.0.0/16 -i eth0 -j DENY
  # block stuff we should never even receive    # REDUNDANT given policy
  ipchains -A input -d 10.0.0.0/8 -i eth0 -j DENY
  ipchains -A input -d 172.16.0.0/16 -i eth0 -j DENY
  ipchains -A input -d 192.168.0.0/16 -i eth0 -j DENY
  # allow some management
  ipchains -A input -s pete's_home_ip/32 -i eth0 -j ACCEPT


It's not my point to belittle or ridicule, but security is exceptionally
important.  To hear the lack of understanding on this issue flaunted is
very discomforting.  

Get an expert.  Sit at their feet.  Learn.  

-- 
Ted Deppner
http://www.psyber.com/~ted/


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.