Re: [vox-tech] ipchains/firewall question

["Jay" <jstrauss@baziMAPSllion.com>]

Yeah Pete, you dumbass :P.

signed
192.168.0.1

Jay Strauss
jstrauss@bazillion.com
(h) 773.935.5326
(c) 312.617.0264

----- Original Message -----
From: "Ted Deppner" <ted@psyber.com>
To: <vox-tech@franz.mother.com>
Sent: Wednesday, October 18, 2000 7:42 PM
Subject: Re: [vox-tech] ipchains/firewall question


> On Wed, Oct 18, 2000 at 04:32:18PM -0700, Peter Jay Salzman wrote:
> > yes, i'm absolutely, positively fantstically, unequivocally, super-duper
sure.
> > i don't even want to talk to support1.adobe.com (192.150.11.35).
> >
> > i hope i convinced you i don't want to talk with *anyone* whose ip address
> > starts with 192.   i would go even farther -- i don't even want to talk to
> > anyone with an ip address of 19*.*.*.
> >
> > did i forget to mention to you that i really don't want to talk to any ip
> > address that begins with 192?  :)
> >
> > why not?  if nobody comes a-knockin', nobody here wants to listen...
> >
> > that's what i plan to do.  it'll take awhile to compile the addresses, but
> > in the meantime...
>
> With all due respect...
>
> I cannot fathom why you are discussing blocking 192.0.0.0/8 or 19*.*.*.*.
> This indicates a basic lack of understanding about IP routing, netmasks,
> and (drum roll) an appropriate network design.
>
> Either you are being silly (which makes for a short career in the
> firewalls field), or you really shouldn't be building firewall rulesets.
>
> As Micah mentioned the internal network space is 192.168.0.0/16 and
> should be blocked from reaching the world, or the world reaching in to
> you.  Other spaces are 10.0.0.0/8 and 172.16.0.0/26.
>
> Also, rather than removing access from 19*.*.*.*, you should probably
> focus on what you will allow, with a default of deny.
>
> As such,
>   block traffic to or from the following networks via any public
>     interface:
>         10.0.0.0/8
>         172.16.0.0/16
>         192.168.0.0/16
>   Install a default INPUT policy of DENY.
>   Install a ACCEPT rule for your management IP ranges
>   CONSULT WITH AN EXPERT
>
> Notice that last one?
>
> And for completeness your proposed ruleset is totally and completely
> wrong (it correct to the question you asked, but wrong from a proper
> network design standpoint).  Here it is again:
>
>   ipchains -A input -s 192.0.0.0/255.0.0.0 -i eth0 -j DENY
>
> According to your design eth0 is the public side.  Blocking packets
> sourced from 192.0.0.0/8 is pointless.  You want to block packets destined
> for your internal network of 192.168.0.0/24.
>
> The following ruleset snippet is more correct, though not anywhere near
> complete:
>   ipchains -F input
>   ipchains -P input DENY
>   # block stuff we should never even receive    # REDUNDANT given policy
>   ipchains -A input -s 10.0.0.0/8 -i eth0 -j DENY
>   ipchains -A input -s 172.16.0.0/16 -i eth0 -j DENY
>   ipchains -A input -s 192.168.0.0/16 -i eth0 -j DENY
>   # block stuff we should never even receive    # REDUNDANT given policy
>   ipchains -A input -d 10.0.0.0/8 -i eth0 -j DENY
>   ipchains -A input -d 172.16.0.0/16 -i eth0 -j DENY
>   ipchains -A input -d 192.168.0.0/16 -i eth0 -j DENY
>   # allow some management
>   ipchains -A input -s pete's_home_ip/32 -i eth0 -j ACCEPT
>
>
> It's not my point to belittle or ridicule, but security is exceptionally
> important.  To hear the lack of understanding on this issue flaunted is
> very discomforting.
>
> Get an expert.  Sit at their feet.  Learn.
>
> --
> Ted Deppner
> http://www.psyber.com/~ted/
>