On Thu, 2 Sep 1999, Ryan Russell wrote:
> As a matter of course, firewall admins should implement anti-spoofing rules that
> block (source)
> addresses for their inside nets, any RFC1918 addresses, and anything above
> 223.255.255.255
> (minus anything they wish to explicitly allow for MBONE, routing protocols,
> etc..)
It's not as simple as this....imagine the following network:
server <- net a -> router a <- net b -> router b <-> internet <-> your host
Let's say router B and router B are managed by people with too little
routable IP space, so they used a 192.168.x.x address. After all that is an
internal net for them and the have only seen a problem when trying to use
traceroute to hosts on the internet.
Now say router A needs to fragment a packet, or send a host unreachable for
server back to your host. Guess what source address gets used? The
192.168.x.x address.
I guess this will bring back the "block ICMP" debate, but I am of the camp
that not all ICMP is evil. I like working path MTU detection and I have
been called in the past by people who block ICMPs asking why access to some
sites on the web were just awfull while others were just fine. You can call
blocking all ICMP an acceptable minor problem but you can't say it is not a
problem.
PS this problem is not nearly as uncommon as you may think. I find stuff
like this often doing network consulting, and I try to get people to use
routable addresses throughout their public infrastructure. Otherwise I tell
them to NAT from point of entry as there are some wire speed NAT boxes that
can run full bore are 100Mb now adays.
Cliff
--
| Cliff Skolnick | "They that can give up essential liberty to |
| Steam Tunnel Operations | obtain a little temporary safety deserve |
| [EMAIL PROTECTED] | neither liberty nor safety." |
| http://www.steam.com/ | -- Benjamin Franklin, 1759 |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
