Shorewall users - Feb 2004 - Error in the rfc1918 file (Shorewall ver 1.4.8 release)

One of my (Danish) users has the following IP assigned permanently to 
his ADSL connection:

83.88.93.155

The line

83.0.0.0/8

should therefore be deleted from the /etc/shorewall/rfc1918 file, IMHO.


Best regards,
Niels Kristian Jensen
Denmark

> 83.88.93.155
> The line
> 83.0.0.0/8
> should therefore be deleted from the /etc/shorewall/rfc1918 file,
IMHO.


where is the problem exactly?

http://www.iana.org/assignments/ipv4-address-space
clearly displays, that your ip range is used by the ripe. you should
update your rcf1918 file regularily with

http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/

for example or any other means that fits your needs.

cheers,
andy

shorewall-users-bounces+nkj=internetgruppen.dk@lists.shorewall.net wrote:
>http://www.iana.org/assignments/ipv4-address-space
>clearly displays, that your ip range is used by the ripe. you should
>update your rcf1918 file regularily with
>
>http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
>
>for example or any other means that fits your needs.
>
>  
>
The only problem was that I wasn''t aware that the reserved networks
file
(/etc/shorewall/rfc1918) changed THAT much and THAT often.

There''s a lot of differences between the rfc1914 file that came with 
1.4.8 and the current one.

My firewall is a very bare-bones setup without Python (it dosn''t even 
run a mailer) so I''ll have to set up a surveillance system on another
box.

Thanks for the help and sorry I didn''t check the available help in 
closer detail before I wrote to the list.

Best regards,
Niels Kristian Jensen
Denmark

On 17 Feb 2004 at 20:43, Niels Kristian Jensen wrote:
> shorewall-users-bounces+nkj=internetgruppen.dk@lists.shorewall.net
> wrote:
> 
> >http://www.iana.org/assignments/ipv4-address-space
> >clearly displays, that your ip range is used by the ripe. you 
should
> >update your rcf1918 file regularily with
> >
> >http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
> >
> >for example or any other means that fits your needs.
> >
> >  
> >
> The only problem was that I wasn''t aware that the reserved
networks
> file (/etc/shorewall/rfc1918) changed THAT much and THAT often.
> 
> There''s a lot of differences between the rfc1914 file that came 
with
> 1.4.8 and the current one.
Realistically, the rfc1918 file need only contain those IP ranges 
that are commonly used for private networks.  The idea is to keep
any other rfc1918 traffic on your upstream from entereing your
network.  (Its not uncommon to find private subnets running around
on cable modem systems because its a fairly quick and dirty way
to network two buildings seperated by a couple of miles.)

Invalid or un-assigned ranges only appear on spam and seldom in a way 
the firewall would be usefull, because (theoretically) these are not 
routed by your upstream.  

Hackers will sometimes use unassigned address space, but if
rfc1918 is your best defense against those guys your screwed anyway.
-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

> The only problem was that I wasn''t aware that the reserved
networks
file
> (/etc/shorewall/rfc1918) changed THAT much and THAT often.
well sometimes new big dialup/consumer network address space gets
assigned around the globe, as we run out of ipv4 space (not really ;)

anyways, sometimes i also forget the rfc1918 address space, and that
allocation might change every now and then. its actually not a bad
method of blocking spoofing folks and officially non-present/non-used ip
address space, but i think it would be better if shorewall somehow would
stay up2date automatically, or anyone got any better idea?
> Thanks for the help and sorry I didn''t check the available help in
> closer detail before I wrote to the list.
dont worry, was just pointing you to the related documentation

cheers.

On Tuesday 17 February 2004 02:02 pm, Andreas Bittner
wrote:
> > The only problem was that I wasn''t aware that the reserved
networks
>
> file
>
> > (/etc/shorewall/rfc1918) changed THAT much and THAT often.
>
> well sometimes new big dialup/consumer network address space gets
> assigned around the globe, as we run out of ipv4 space (not really ;)
>
> anyways, sometimes i also forget the rfc1918 address space, and that
> allocation might change every now and then. its actually not a bad
> method of blocking spoofing folks and officially non-present/non-used ip
> address space, but i think it would be better if shorewall somehow would
> stay up2date automatically, or anyone got any better idea?
>
If I had it to do over again, the ''norfc1918'' option would be
exactly that --
it would block requests from those address ranges reserved by RFC 1918. If 
the user wanted to block requests from unassigned address blocks it would be 
the user''s responsibility to do it (probably using blacklisting).

I personally think that having all of the IANA-unassigned addresses in the 
file is a PITA and my personal copy of the file has those blocks stripped 
from it (see http://www.shorewall.net/myfiles.htm).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2004-02-17 at 14:10 -0800, Tom Eastep wrote:
> If I had it to do over again, the ''norfc1918'' option
would be exactly that --
> it would block requests from those address ranges reserved by RFC 1918. If 
> the user wanted to block requests from unassigned address blocks it would
be
> the user''s responsibility to do it (probably using blacklisting).
> 
> I personally think that having all of the IANA-unassigned addresses in the 
> file is a PITA and my personal copy of the file has those blocks stripped 
> from it (see http://www.shorewall.net/myfiles.htm).
> 
> -Tom
It would seem to make more sense to make the norfc1918 option just that
- no RFC1918 addresses.  For the unassigned IANA blocks, a nobogons
option could be used.

-- 
David T Hollis <dhollis@davehollis.com>