Netblocks to filter, was: Re: [fw-wiz] Protecting a datacentre
with a firewall
mario
mario at schmut.com
Sun May 4 12:12:43 PDT 2003
I run a nightly script that diffs these against yesterdays version.
http://www.rfc-editor.org/rfc/rfc3330.txt
http://www.iana.org/assignments/ipv4-address-space
I adjust my rule sets as these change.
BTW i think these are legal.
049/8 May 94 Joint Technical Command (Returned to IANA Mar 98)
050/8 May 94 Joint Technical Command (Returned to IANA Mar 98)
> I'd dug up some information about invalid IP network blocks to filter
> from a discussion on the firewall-wizards mailing list, and converted it
> to a set of IPFW(2) rules:
>
> [ ... ]
> And let's raise the bar a little, and see how many firewall vendors
> handle bogus netblocks properly? There's a nice resource here:
> http://www.cymru.com/Bogons/index.html which says:
>
> | How much does it help to filter the bogons? In one study conducted by
> | Rob Thomas of a frequently attacked site, fully 60% of the naughty |
> packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.).
>
> Does Zorp know about and filter these properly? Does Cisco's PIX?
>
> I've been blocking many of them already, but here's my updated set of
> IPFW2 rules, with RFC-1918, autoconf, and multicast addresses commented
> out. I'm doing NAT or divert sockets in some cases and have
> per-interface directional rules, but season to taste:
>
> ####
> # Stop other bogus networks (often used by DDoS attacks)
>
> add deny log all from 0.0.0.0/7 to any
> add deny log all from 2.0.0.0/8 to any
> add deny log all from 5.0.0.0/8 to any
> add deny log all from 7.0.0.0/8 to any
> #add deny log all from 10.0.0.0/8 to any
> add deny log all from 23.0.0.0/8 to any
> add deny log all from 27.0.0.0/8 to any
> add deny log all from 31.0.0.0/8 to any
> add deny log all from 36.0.0.0/7 to any
> add deny log all from 39.0.0.0/8 to any
> add deny log all from 41.0.0.0/8 to any
> add deny log all from 42.0.0.0/8 to any
> add deny log all from 49.0.0.0/8 to any
> add deny log all from 50.0.0.0/8 to any
> add deny log all from 58.0.0.0/7 to any
> add deny log all from 70.0.0.0/7 to any
> add deny log all from 72.0.0.0/5 to any
> add deny log all from 83.0.0.0/8 to any
> add deny log all from 84.0.0.0/6 to any
> add deny log all from 88.0.0.0/5 to any
> add deny log all from 96.0.0.0/3 to any
> #add deny log all from 169.254.0.0/16 to any
> #add deny log all from 172.16.0.0/12 to any
> add deny log all from 173.0.0.0/8 to any
> add deny log all from 174.0.0.0/7 to any
> add deny log all from 176.0.0.0/5 to any
> add deny log all from 184.0.0.0/6 to any
> add deny log all from 189.0.0.0/8 to any
> add deny log all from 190.0.0.0/8 to any
> add deny log all from 192.0.2.0/24 to any
> #add deny log all from 192.168.0.0/16 to any
> add deny log all from 197.0.0.0/8 to any
> add deny log all from 198.18.0.0/15 to any
> add deny log all from 223.0.0.0/8 to any
> #add deny log all from 224.0.0.0/3 to any
>
> --
> -Chuck
>
> PS: If this information is valid and seems useful to other people, maybe
> I'll send-pr these as a set of suggested changes for /etc/rc.firewall.
>
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
my 2 cents
mario;>
----------------------------------------------------
Do you schmut!?
http://www.schmut.com
:) ... then again for a real web site you could try:
House Of Sites
http://www.HouseOfSites.net
More information about the freebsd-isp
mailing list