Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 4 May 2003 12:13:22 -0700 (PDT)
From:      "mario" <mario@schmut.com>
To:        <chuck@codefab.com>
Cc:        freebsd-isp@FreeBSD.ORG
Subject:   Re: Netblocks to filter, was: Re: [fw-wiz] Protecting a datacentre with a firewall
Message-ID:  <1676.192.168.23.97.1052075602.squirrel@webmail.schmut.com>
In-Reply-To: <3EB53C74.40500@codefab.com>
References:  <3EB53C74.40500@codefab.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I run a nightly script that diffs these against yesterdays version.
http://www.rfc-editor.org/rfc/rfc3330.txt
http://www.iana.org/assignments/ipv4-address-space
I adjust my rule sets as these change.

BTW i think these are legal.
049/8   May 94   Joint Technical Command   (Returned to IANA  Mar 98)
050/8   May 94   Joint Technical Command   (Returned to IANA  Mar 98)



> I'd dug up some information about invalid IP network blocks to filter
> from a discussion on the firewall-wizards mailing list, and converted it
>  to a set of IPFW(2) rules:
>
> [ ... ]
> And let's raise the bar a little, and see how many firewall vendors
> handle bogus netblocks properly?  There's a nice resource here:
> http://www.cymru.com/Bogons/index.html which says:
>
> | How much does it help to filter the bogons?  In one study conducted by
> | Rob Thomas of a frequently attacked site, fully 60% of the naughty |
> packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.).
>
> Does Zorp know about and filter these properly?  Does Cisco's PIX?
>
> I've been blocking many of them already, but here's my updated set of
> IPFW2 rules, with RFC-1918, autoconf, and multicast addresses commented
> out.  I'm doing NAT or divert sockets in some cases and have
> per-interface directional rules, but season to taste:
>
> ####
> # Stop other bogus networks (often used by DDoS attacks)
>
> add deny log all from 0.0.0.0/7 to any
> add deny log all from 2.0.0.0/8 to any
> add deny log all from 5.0.0.0/8 to any
> add deny log all from 7.0.0.0/8 to any
> #add deny log all from 10.0.0.0/8 to any
> add deny log all from 23.0.0.0/8 to any
> add deny log all from 27.0.0.0/8 to any
> add deny log all from 31.0.0.0/8 to any
> add deny log all from 36.0.0.0/7 to any
> add deny log all from 39.0.0.0/8 to any
> add deny log all from 41.0.0.0/8 to any
> add deny log all from 42.0.0.0/8 to any
> add deny log all from 49.0.0.0/8 to any
> add deny log all from 50.0.0.0/8 to any
> add deny log all from 58.0.0.0/7 to any
> add deny log all from 70.0.0.0/7 to any
> add deny log all from 72.0.0.0/5 to any
> add deny log all from 83.0.0.0/8 to any
> add deny log all from 84.0.0.0/6 to any
> add deny log all from 88.0.0.0/5 to any
> add deny log all from 96.0.0.0/3 to any
> #add deny log all from 169.254.0.0/16 to any
> #add deny log all from 172.16.0.0/12 to any
> add deny log all from 173.0.0.0/8 to any
> add deny log all from 174.0.0.0/7 to any
> add deny log all from 176.0.0.0/5 to any
> add deny log all from 184.0.0.0/6 to any
> add deny log all from 189.0.0.0/8 to any
> add deny log all from 190.0.0.0/8 to any
> add deny log all from 192.0.2.0/24 to any
> #add deny log all from 192.168.0.0/16 to any
> add deny log all from 197.0.0.0/8 to any
> add deny log all from 198.18.0.0/15 to any
> add deny log all from 223.0.0.0/8 to any
> #add deny log all from 224.0.0.0/3 to any
>
> --
> -Chuck
>
> PS: If this information is valid and seems useful to other people, maybe
>  I'll send-pr these as a set of suggested changes for /etc/rc.firewall.
>
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

my 2 cents

mario;>

----------------------------------------------------
Do you schmut!?
http://www.schmut.com
:) ... then again for a real web site you could try:
House Of Sites
http://www.HouseOfSites.net






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1676.192.168.23.97.1052075602.squirrel>