Running shorewall version 2.2.3 from debian sarge on out companys firewalls. Had an intersting experiance . My home isp is road runner and yesteday got a new ip starting with 72. Was really confused as the internet seemd to work but I could not acess any of the company sites. Finally checked my home firewall that also uses shorewall and noticed in rfc1918: 72.0.0.0/5 logdrop # Reserved For a while figured the isp was doing something wrong but eventuall sinked in that the rfc1918 file had list of reserved addresses in addition to the rfc1918 blocks. I used the program referenced in the rfc1918 file to update the reserved list and all is well at least for now. Checking the firewall log and saw that I was blocking a lot of trafic that should not have been blocked. There are a bunch of formally reserved blocks now in use. How important if it to block reserved addresses? If not that important maybe they should be removed. If it is important to block reserved addresses could the reserved list be periodically automatically rebuildt. I suspect that when a block is allocated it it will take a while for it to be activley used so weekly should be sufficent. Proabaly easer to implimet if was a seperate table. John
John McMonagle escribió:> Running shorewall version 2.2.3 from debian sarge on out companys > firewalls. > > Had an intersting experiance . > My home isp is road runner and yesteday got a new ip starting with 72. > Was really confused as the internet seemd to work but I could not acess > any of the company sites. > > Finally checked my home firewall that also uses shorewall and noticed > in rfc1918: > 72.0.0.0/5 logdrop # Reserved > > For a while figured the isp was doing something wrong but eventuall > sinked in that the > rfc1918 file had list of reserved addresses in addition to the rfc1918 > blocks. >on newer versions of shorewall the reserved address are divided in 2 files "rfc1918" and "bogons", if you use bogon filtering, you should update the file from time to time. I strongly reccomend you upgrade your firewall to the latest stable version. -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''
Cristian Rodriguez wrote:> John McMonagle escribió: >> Running shorewall version 2.2.3 from debian sarge on out companys >> firewalls. >> > > on newer versions of shorewall the reserved address are divided in 2 files > "rfc1918" and "bogons", if you use bogon filtering, you should update > the file from time to time. > > I strongly reccomend you upgrade your firewall to the latest stable > version. >2.2.3 is new enough -- John just needs to purge /etc/shorewall/rfc1918. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Cristian Rodriguez wrote on 18/08/2005 18:57:50:> John McMonagle escribió: > > on newer versions of shorewall the reserved address are divided in 2files> "rfc1918" and "bogons", if you use bogon filtering, you should update > the file from time to time. > > I strongly reccomend you upgrade your firewall to the latest stableversion.>the bogons file was not discontinued in the more recent versions? Or is this a todo? -- Eduardo Ferreira
John McMonagle wrote:> Running shorewall version 2.2.3 from debian sarge on out companys > firewalls. > > Had an intersting experiance . > My home isp is road runner and yesteday got a new ip starting with 72. > Was really confused as the internet seemd to work but I could not > acess any of the company sites. > > Finally checked my home firewall that also uses shorewall and noticed > in rfc1918: > 72.0.0.0/5 logdrop # Reserved > > For a while figured the isp was doing something wrong but eventuall > sinked in that the > rfc1918 file had list of reserved addresses in addition to the > rfc1918 blocks. > > I used the program referenced in the rfc1918 file to update the > reserved list and all is well at least for now. > Checking the firewall log and saw that I was blocking a lot of trafic > that should not have been blocked. > There are a bunch of formally reserved blocks now in use. > > How important if it to block reserved addresses?It''s not so important. Because if you got flooded with DOS packets it doesn''t really matter if the attacker is spoofing unallocated or allocated IPs. In fact allocated is worse, because the real owner of this IP is affected too. You are using a older realease of shorewall, because the rfc1918 file got seperated some time ago. Newer shorewall versions use a file called bogons (the unallocated IP spaces) and the rfc1918 file (just "real" rfc1918 addresses/ private address space). AFAIK Tom considered this rfc1918(combined version) and also the bogon file as design mistake. Because it causes a lot of trouble like you lived it now. So support of this option is probably already dropped or will be dropped in future releases. So my advice is: Update to latest stable version and if you are using the nobogons option you should update this file time to time. HTH, Alex> > If not that important maybe they should be removed. > > If it is important to block reserved addresses could the reserved > list be periodically automatically rebuildt. > I suspect that when a block is allocated it it will take a while for > it to be activley used so weekly should be sufficent. > Proabaly easer to implimet if was a seperate table. > > John------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Eduardo Ferreira wrote:> > Cristian Rodriguez wrote on 18/08/2005 18:57:50: > >> John McMonagle escribió: >> >> on newer versions of shorewall the reserved address are divided in 2 files >> "rfc1918" and "bogons", if you use bogon filtering, you should update >> the file from time to time. >> >> I strongly reccomend you upgrade your firewall to the latest stable > version. >> > the bogons file was not discontinued in the more recent versions? Or is > this a todo?The bogons file has been removed in the 2.5 series. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>Cristian Rodriguez wrote: > > >>John McMonagle escribió: >> >> >>>Running shorewall version 2.2.3 from debian sarge on out companys >>>firewalls. >>> >>> >>> >>on newer versions of shorewall the reserved address are divided in 2 files >>"rfc1918" and "bogons", if you use bogon filtering, you should update >>the file from time to time. >> >>I strongly reccomend you upgrade your firewall to the latest stable >>version. >> >> >> > >2.2.3 is new enough -- John just needs to purge /etc/shorewall/rfc1918. > >-Tom > >Thanks I just removed the reserved nets from the rfc1918 file. Now need to work on the more obscure problems.... John
John McMonagle wrote:> >>> >>2.2.3 is new enough -- John just needs to purge /etc/shorewall/rfc1918. >> >>-Tom >> >> > Thanks > > I just removed the reserved nets from the rfc1918 file. > Now need to work on the more obscure problems....You should simply remove the file -- the proper file is in /usr/share/shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key