Shorewall users - Mar 2008 - using norfc1918

Hello Tom.
     Sorry, don't answer on my previouse letter, i forget to set
subject. I fix this in current. And now about my question.
     I ask you before about method of stopping RFC1918 traffic on
external interface and you advised me follow rule:

REJECT! all net:$RFC1918_NETS

     Can i replace this rule by 'norfc1918' option in
'interfaces'
file for this interface?

     Alex
                

---------
ОАО 'Белгазпромбанк' предоставляет экспресс-кредиты в наличной форме 
без залога до 15 000 долларов США http://www.belgazprombank.by/6788242.html

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On Thu, Mar 13, 2008 at 12:17:56PM +0200, alex wrote:
>      Hello Tom.
>      Sorry, don''t answer on my previouse letter, i forget to set
> subject. I fix this in current. And now about my question.
>      I ask you before about method of stopping RFC1918 traffic on
> external interface and you advised me follow rule:
> 
> REJECT! all net:$RFC1918_NETS
> 
>      Can i replace this rule by ''norfc1918'' option in
''interfaces''
> file for this interface?
> 
Yes.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

>>      Hello Tom.
>>      Sorry, don't answer on my previouse letter, i forget to set
>> subject. I fix this in current. And now about my question.
>>      I ask you before about method of stopping RFC1918 traffic on
>> external interface and you advised me follow rule:
>> 
>> REJECT! all net:$RFC1918_NETS
>> 
>>      Can i replace this rule by 'norfc1918' option in
'interfaces'
>> file for this interface?
>> 
> Yes.
> 
> Regards,
> 
> -Roberto
     Thank you Roberto for quick answer but i myself found answer on
my question. I can't (i think) use this option in my case so as i have
additional definition for this (external) interface in my 'hosts'
file:

net     $EXT_IF:!$BTC_RTR

     Alex
                

---------
ОАО 'Белгазпромбанк' предоставляет экспресс-кредиты в наличной форме 
без залога до 15 000 долларов США http://www.belgazprombank.by/6788242.html

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

>>>      Hello Tom.
>>>      Sorry, don't answer on my previouse letter, i forget to
set
>>> subject. I fix this in current. And now about my question.
>>>      I ask you before about method of stopping RFC1918 traffic on
>>> external interface and you advised me follow rule:
>>> 
>>> REJECT! all net:$RFC1918_NETS
>>> 
>>>      Can i replace this rule by 'norfc1918' option in
'interfaces'
>>> file for this interface?
>>> 
>> Yes.
>> 
>> Regards,
>> 
>> -Roberto
> 
>     Thank you Roberto for quick answer but i myself found answer on
> my question. I can't (i think) use this option in my case so as i have
> additional definition for this (external) interface in my 'hosts'
> file:
> 
> net     $EXT_IF:!$BTC_RTR
> 
>     Alex
     No i am wrong. '$BTC_RTR' from my example don't belong to
RFC1918
range and therefore i can use 'norfc1918' option.

     Sorry. Thank you very much.
     Alex
                

---------
ОАО 'Белгазпромбанк' предоставляет экспресс-кредиты в наличной форме 
без залога до 15 000 долларов США http://www.belgazprombank.by/6788242.html

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Roberto C. Sánchez wrote:
> On Thu, Mar 13, 2008 at 12:17:56PM +0200, alex wrote:
>>      Hello Tom.
>>      Sorry, don''t answer on my previouse letter, i forget to
set
>> subject. I fix this in current. And now about my question.
>>      I ask you before about method of stopping RFC1918 traffic on
>> external interface and you advised me follow rule:
>>
>> REJECT! all net:$RFC1918_NETS
>>
>>      Can i replace this rule by ''norfc1918'' option in
''interfaces''
>> file for this interface?
>>
> Yes.
No, actually.

''norfc1918'' is more like

REJECT  net:$RFC1918_NETS	all

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Thu, Mar 13, 2008 at 07:17:12AM -0700, Tom Eastep
wrote:
> Roberto C. Sánchez wrote:
> > On Thu, Mar 13, 2008 at 12:17:56PM +0200, alex wrote:
> >>      Hello Tom.
> >>      Sorry, don''t answer on my previouse letter, i forget
to set
> >> subject. I fix this in current. And now about my question.
> >>      I ask you before about method of stopping RFC1918 traffic on
> >> external interface and you advised me follow rule:
> >>
> >> REJECT! all net:$RFC1918_NETS
> >>
> >>      Can i replace this rule by ''norfc1918''
option in ''interfaces''
> >> file for this interface?
> >>
> > Yes.
> 
> No, actually.
> 
> ''norfc1918'' is more like
> 
> REJECT  net:$RFC1918_NETS	all
> 
That''s what I get for replying to email at 6:00 AM.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

>>>      Hello Tom.
>>>      Sorry, don't answer on my previouse letter, i forget to
set
>>> subject. I fix this in current. And now about my question.
>>>      I ask you before about method of stopping RFC1918 traffic on
>>> external interface and you advised me follow rule:
>>>
>>> REJECT! all net:$RFC1918_NETS
>>>
>>>      Can i replace this rule by 'norfc1918' option in
'interfaces'
>>> file for this interface?
>>>
>> Yes.
  
> No, actually.
> 
> 'norfc1918' is more like
> 
> REJECT  net:$RFC1918_NETS	all
     What is better?

     Alex
                

---------
ОАО 'Белгазпромбанк' предоставляет экспресс-кредиты в наличной форме 
без залога до 15 000 долларов США http://www.belgazprombank.by/6788242.html

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

>>>>      Hello Tom.
>>>>      Sorry, don't answer on my previouse letter, i forget
to set
>>>> subject. I fix this in current. And now about my question.
>>>>      I ask you before about method of stopping RFC1918 traffic
on
>>> external interface and you advised me follow rule:
>>>
>>> REJECT! all net:$RFC1918_NETS
>>>
>>>      Can i replace this rule by 'norfc1918' option in
'interfaces'
>>> file for this interface?
>>>
  
>> Yes.
   
> No, actually.
> 
> 'norfc1918' is more like
> 
> REJECT  net:$RFC1918_NETS	all
    And yet one difference - norfc1918 use 'DROP' not 'REJECT'.
    Sorry Tom, but i want to repeat my question, what do you recommend
from these two methods?

    Alex
                 

---------
ВИЗИТКИ. Бесплатный дизайн, низкие цены.
Любая полиграфия на http://www.viz.by

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

alex wrote:
> 
>     And yet one difference - norfc1918 use ''DROP'' not
''REJECT''.
>     Sorry Tom, but i want to repeat my question, what do you recommend
> from these two methods?
Alex,

If I would have had an opinion one way or the other, I would have already
told you what it was. I do, however, recommend against using the REJECT
target on any traffic that originates from the Internet as an anti-DOS measure.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

>>     And yet one difference - norfc1918 use 'DROP' not
'REJECT'.
> 
>>     Sorry Tom, but i want to repeat my question, what do you recommend
>> from these two methods?
> 
> Alex,
> 
> If I would have had an opinion one way or the other, I would have already
> told you what it was. I do, however, recommend against using the REJECT
> target on any traffic that originates from the Internet as an anti-DOS 
>measure.
> 
> -Tom
     Please, Tom sorry me, but i want to ask you what method is better -
'norfc1918' option in 'interfaces' file or special rule in
'rules' file?

     Thank you very much,
     Alex
                 

---------
ВИЗИТКИ. Бесплатный дизайн, низкие цены.
Любая полиграфия на http://www.viz.by

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

alex wrote:
>   
>>>     And yet one difference - norfc1918 use ''DROP''
not ''REJECT''.
>>>     Sorry Tom, but i want to repeat my question, what do you
recommend
>>> from these two methods?
>> Alex,
>>
>> If I would have had an opinion one way or the other, I would have
already
>> told you what it was. I do, however, recommend against using the REJECT
>> target on any traffic that originates from the Internet as an anti-DOS 
>> measure.
>>
>> -Tom
> 
>      Please, Tom sorry me, but i want to ask you what method is better -
> ''norfc1918'' option in ''interfaces'' file
or special rule in ''rules'' file?
> 
And I''m trying to tell you that I don''t care which you use.
They will do
exactly the same thing.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Fri, Mar 14, 2008 at 07:28:29AM -0700, Tom Eastep
wrote:
> I do, however, recommend against using the REJECT
> target on any traffic that originates from the Internet as an anti-DOS
measure.
Although, as always, if you have an ADSL line (and the firewall is on
the downstream end) then anti-DoS measures against traffic that
originates from the internet are a waste of time - you can''t block a
DoS against that configuration from that physical location, it has to
be done on the upstream (ISP) side.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Andrew Suffield wrote:
> On Fri, Mar 14, 2008 at 07:28:29AM -0700, Tom Eastep wrote:
>> I do, however, recommend against using the REJECT
>> target on any traffic that originates from the Internet as an anti-DOS
measure.
> 
> Although, as always, if you have an ADSL line (and the firewall is on
> the downstream end) then anti-DoS measures against traffic that
> originates from the internet are a waste of time - you can''t block
a
> DoS against that configuration from that physical location, it has to
> be done on the upstream (ISP) side.

But no sense generating a collateral outgoing packet storm that tries to
match the incoming one.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

>>>>     And yet one difference - norfc1918 use 'DROP' not
'REJECT'.
>>>>     Sorry Tom, but i want to repeat my question, what do you
recommend
>>>> from these two methods?
>>> Alex,
>>> If I would have had an opinion one way or the other, I would have
already
>>> told you what it was. I do, however, recommend against using the
REJECT
>>> target on any traffic that originates from the Internet as an
anti-DOS
>>> measure.
>>>
>>> -Tom
>>      Please, Tom sorry me, but i want to ask you what method is better
-
>> 'norfc1918' option in 'interfaces' file or special rule
in 'rules' file?
> And I'm trying to tell you that I don't care which you use. They
will do
> exactly the same thing.
    No, this is outputs for two cases (i have local network 192.168.5.0/24,
default gateway 192.168.5.1 and start traceroute to 192.168.193.17):

1. norfc1918

traceroute to 192.168.193.17 (192.168.193.17), 30 hops max, 40 byte packets
  1  gt.tst.by (192.168.5.1)  0.148 ms   0.135 ms   0.118 ms
  2  21.90.116.153 (21.90.116.153)  21.658 ms   21.510 ms   19.266 ms
  3  * * *
  4  * * *
  5  * * *
  6  * * *
  7  * * *
  8  * * *
  ...

2. REJECT!         all             net:$RFC1918_NETS

traceroute to 192.168.193.17 (192.168.193.17), 30 hops max, 40 byte packets
  1  gt.tst.by (192.168.5.1)  0.137 ms   0.130 ms   0.129 ms
  2  gt.tst.by (192.168.5.1)  0.136 ms   0.151 ms   0.132 ms

    I prefer second case.
    Alex
 

-----------
Доставка на дом и в офис пиццы, суши, шашлыка, напитков круглосуточно. 
Закажи сейчас! http://www.pizza.by
(017) 266-35-07, (029) 690-93-93, 555-93-93

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

generally speaking, DROP should be better than REJECT simply because dropped
packets wont use any bandwidth sending the rejection NOR will it advertise
that there is actually a device at that IP which could be a good thing.  On
the other hand, a REJECT would cause some programs to stop trying to connect
immediately and a DROP could cause a program to think there was an outage
and try to connect over and over until their retry attempts are completed.

2008/3/17 alex <alshu@tut.by>:
>
> >>>>     And yet one difference - norfc1918 use 'DROP'
not 'REJECT'.
> >>>>     Sorry Tom, but i want to repeat my question, what do
you
> recommend
> >>>> from these two methods?
> >>> Alex,
>
> >>> If I would have had an opinion one way or the other, I would
have
> already
> >>> told you what it was. I do, however, recommend against using
the
> REJECT
> >>> target on any traffic that originates from the Internet as an
anti-DOS
> >>> measure.
> >>>
> >>> -Tom
>
> >>      Please, Tom sorry me, but i want to ask you what method is
better
> -
> >> 'norfc1918' option in 'interfaces' file or special
rule in 'rules'
> file?
>
> > And I'm trying to tell you that I don't care which you use.
They will do
> > exactly the same thing.
>
>     No, this is outputs for two cases (i have local network 192.168.5.0/24
> ,
> default gateway 192.168.5.1 and start traceroute to 192.168.193.17):
>
> 1. norfc1918
>
> traceroute to 192.168.193.17 (192.168.193.17), 30 hops max, 40 byte
> packets
>  1  gt.tst.by (192.168.5.1)  0.148 ms   0.135 ms   0.118 ms
>  2  21.90.116.153 (21.90.116.153)  21.658 ms   21.510 ms   19.266 ms
>  3  * * *
>  4  * * *
>  5  * * *
>  6  * * *
>  7  * * *
>  8  * * *
>  ...
>
> 2. REJECT!         all             net:$RFC1918_NETS
>
> traceroute to 192.168.193.17 (192.168.193.17), 30 hops max, 40 byte
> packets
>  1  gt.tst.by (192.168.5.1)  0.137 ms   0.130 ms   0.129 ms
>  2  gt.tst.by (192.168.5.1)  0.136 ms   0.151 ms   0.132 ms
>
>    I prefer second case.
>    Alex
>
>
> -----------
> Доставка на дом и в офис пиццы, суши, шашлыка, напитков круглосуточно.
> Закажи сейчас! http://www.pizza.by
> (017) 266-35-07, (029) 690-93-93, 555-93-93
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

> generally speaking, DROP should be better than REJECT simply because 
>dropped
> packets wont use any bandwidth sending the rejection NOR will it advertise
> that there is actually a device at that IP which could be a good thing. 
> On
> the other hand, a REJECT would cause some programs to stop trying to 
>connect
> immediately and a DROP could cause a program to think there was an outage
> and try to connect over and over until their retry attempts are completed.
  
  
>> >>>>     And yet one difference - norfc1918 use
'DROP' not 'REJECT'.
>> >>>>     Sorry Tom, but i want to repeat my question, what
do you
>> recommend
>> >>>> from these two methods?
>> >>> Alex,
>>
>> >>> If I would have had an opinion one way or the other, I
would have
>> already
>> >>> told you what it was. I do, however, recommend against
using the
>> REJECT
>> >>> target on any traffic that originates from the Internet as
an anti-DOS
>> >>> measure.
>> >>>
>> >>> -Tom
>>
>> >>      Please, Tom sorry me, but i want to ask you what method
is better
>> -
>> >> 'norfc1918' option in 'interfaces' file or
special rule in 'rules'
>> file?
>>
>> > And I'm trying to tell you that I don't care which you
use. They will do
>> > exactly the same thing.
>>
>>     No, this is outputs for two cases (i have local network
192.168.5.0/24
>> ,
>> default gateway 192.168.5.1 and start traceroute to 192.168.193.17):
>>
>> 1. norfc1918
>>
>> traceroute to 192.168.193.17 (192.168.193.17), 30 hops max, 40 byte
>> packets
>>  1  gt.tst.by (192.168.5.1)  0.148 ms   0.135 ms   0.118 ms
>>  2  21.90.116.153 (21.90.116.153)  21.658 ms   21.510 ms   19.266 ms
>>  3  * * *
>>  4  * * *
>>  5  * * *
>>  6  * * *
>>  7  * * *
>>  8  * * *
>>  ...
>>
>> 2. REJECT!         all             net:$RFC1918_NETS
>>
>> traceroute to 192.168.193.17 (192.168.193.17), 30 hops max, 40 byte
>> packets
>>  1  gt.tst.by (192.168.5.1)  0.137 ms   0.130 ms   0.129 ms
>>  2  gt.tst.by (192.168.5.1)  0.136 ms   0.151 ms   0.132 ms
>>
>>    I prefer second case.
>>    Alex
   Matter not only in DROP or REJECT. First variant send packets further
but second block them (as we want). I forget say that Shorewall installed
on 192.168.5.1.

    Alex
 

-----------
Доставка на дом и в офис пиццы, суши, шашлыка, напитков круглосуточно. 
Закажи сейчас! http://www.pizza.by
(017) 266-35-07, (029) 690-93-93, 555-93-93

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users