> Hi! > > > > > > > >I 've noticed that when installing the default shorewall > > configuration of= > > > Bering-* > > > >there is no block of rfc1918 packets going out to NET .... > > > >That is traceroute from LOC of any address not included in > > LOCAL LAN but in= > > > the RFC1918 range will go out and traverse the net( > > Default route ). > > RFC1918 cannot be blocked by default, because some ISP's provide > these addresses to their customers, so, if we did block them > Bering-uClibc would no longer work, and that would be our fault. > > [snip] > > > > > Supose a user from LOC LAN and address 192.168.1.4 pings or > > trace(s)route to 10.0.1.1 which it is not used in local or > > any other zone .. > > > > 10.0.1.1 is DST > > > > If an observer in the net zone ( the ISP ) observes packets > > comming in from > > source address 62.12.1.1 > > tcpdump -i someif0 src address 62.12.1.1 > > > > She will see these ping or traceroute packets with the > > following characteristics. > > > > SRC=62.12.1.1 DST=10.0.1.1 > > > > Am I right or am I right ??? > > > > So we have a packet destined to a private address space > > looking around the internet to contact address 10.0.1.1 ( noise ). > > > > > > So let me repeat > > > > Who is responsible to stop or drop or kill this packet ????? > > The ISP or The firewall admin ??? > > > > IMHO it is the firewall admin's responsability. > > Use 'norfc1918' in the interface that connects to the net in > '/etc/shorewall/interfaces'
NOPE .... The norfc1918 option in the interfaces file is about packets that come IN from NET-> to net interface ..... Not about packets that go out destined to rfc1918 address space and the net... At least it operates like that... I don't know if it was intended to operate both ways.... The funny thing that I saw with this experiment is that when I traceroute some rfc1918 address I get full legitimate responses from the ISP's routers out there. I stoped them by typing a few lines to the rules file [DROP]|[REJECT] loc net:192.168.0.0/16 all etc.... Regards Harry... "Please consider me as a Fool....." ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html