[leaf-user] RFC1918 packets to NET

[grharry]

I 've noticed that when installing the default shorewall configuration of Bering-*
there is no block of rfc1918 packets going out to NET 
That is traceroute from LOC of any address not included in LOCAL LAN but in the 
RFC1918 range will go out and traverse the net( Default route ).

Who is responsible of stopping this packets ???

Should the ISP's block them?
or 
The firewall net admin should?


Thanks 
Harry






---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] RFC1918 packets to NET

[Erich Titl]

At 16:44 15.07.2004 +0300, [EMAIL PROTECTED] wrote:

>I 've noticed that when installing the default shorewall configuration of Bering-*
>there is no block of rfc1918 packets going out to NET 
>That is traceroute from LOC of any address not included in LOCAL LAN but in the 
>RFC1918 range will go out and traverse the net( Default route ).

Are you tracing the external interface? You should see a masqueraded source address 
there.

>Who is responsible of stopping this packets ???

NAT

cheers
Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] RFC1918 packets to NET

[grharry]

> At 16:44 15.07.2004 +0300, [EMAIL PROTECTED] wrote:
> 
> >I 've noticed that when installing the default shorewall configuration of=
>  Bering-*
> >there is no block of rfc1918 packets going out to NET 
> >That is traceroute from LOC of any address not included in LOCAL LAN but in=
>  the RFC1918 range will go out and traverse the net( Default route ).
> 
> Are you tracing the external interface? You should see a masqueraded source=
>  address there.
> 
> >Who is responsible of stopping this packets ???
> 
> NAT

OK I shall make this more clear ...
I am refering to Destination Address...

Supose 
LOC=192.168.1.0/24
DMZ=NONE
NET IF=ppp0=62.12.1.1 ( DYNAMIC )

No other addresses are involved in this hypothetical configuration.

Supose a user from LOC LAN  and address 192.168.1.4  pings or trace(s)route to  
10.0.1.1 which it is not used in local or any other zone ..

10.0.1.1 is DST

If an observer in the net zone  ( the ISP )  observes packets comming in from 
source address 62.12.1.1 
tcpdump -i someif0 src address 62.12.1.1

She will see these ping or traceroute packets with the following characteristics.

SRC=62.12.1.1  DST=10.0.1.1 

Am I right or am I right ???

So we have a packet destined to a private address space looking around the internet to 
contact address 10.0.1.1 ( noise ).


So let me repeat

Who is responsible to stop or drop or kill this packet ?
The ISP or The firewall admin ???

Best Regards

Harry



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] RFC1918 packets to NET

[Luis.F.Correia]

Hi! 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> Sent: Friday, July 16, 2004 7:06 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [leaf-user] RFC1918 packets to NET
> 
> 
> > At 16:44 15.07.2004 +0300, [EMAIL PROTECTED] wrote:
> > 
> > >I 've noticed that when installing the default shorewall 
> configuration of=
> >  Bering-*
> > >there is no block of rfc1918 packets going out to NET 
> > >That is traceroute from LOC of any address not included in 
> LOCAL LAN but in=
> >  the RFC1918 range will go out and traverse the net( 
> Default route ).

RFC1918 cannot be blocked by default, because some ISP's provide
these addresses to their customers, so, if we did block them
Bering-uClibc would no longer work, and that would be our fault.

[snip]

> 
> Supose a user from LOC LAN  and address 192.168.1.4  pings or 
> trace(s)route to  10.0.1.1 which it is not used in local or 
> any other zone ..
> 
> 10.0.1.1 is DST
> 
> If an observer in the net zone  ( the ISP )  observes packets 
> comming in from 
> source address 62.12.1.1 
> tcpdump -i someif0 src address 62.12.1.1
> 
> She will see these ping or traceroute packets with the 
> following characteristics.
> 
> SRC=62.12.1.1  DST=10.0.1.1 
> 
> Am I right or am I right ???
> 
> So we have a packet destined to a private address space 
> looking around the internet to contact address 10.0.1.1 ( noise ).
> 
> 
> So let me repeat
> 
> Who is responsible to stop or drop or kill this packet ?
> The ISP or The firewall admin ???
> 

IMHO it is the firewall admin's responsability.

Use 'norfc1918' in the interface that connects to the net in
'/etc/shorewall/interfaces'



Luis Correia   
Bering uClibc Team Member

PGP Fingerprint: BC44 D7DA 5A17 F92A CA21 9ABE DFF0 3540 2322 21F6 
Key Server: http://pgp.mit.edu


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] RFC1918 packets to NET

[grharry]

> Hi!
> 
> > >
> > > >I 've noticed that when installing the default shorewall
> > configuration of=
> > >  Bering-*
> > > >there is no block of rfc1918 packets going out to NET 
> > > >That is traceroute from LOC of any address not included in
> > LOCAL LAN but in=
> > >  the RFC1918 range will go out and traverse the net(
> > Default route ).
> 
> RFC1918 cannot be blocked by default, because some ISP's provide
> these addresses to their customers, so, if we did block them
> Bering-uClibc would no longer work, and that would be our fault.
> 
> [snip]
> 
> >
> > Supose a user from LOC LAN  and address 192.168.1.4  pings or
> > trace(s)route to  10.0.1.1 which it is not used in local or
> > any other zone ..
> >
> > 10.0.1.1 is DST
> >
> > If an observer in the net zone  ( the ISP )  observes packets
> > comming in from
> > source address 62.12.1.1
> > tcpdump -i someif0 src address 62.12.1.1
> >
> > She will see these ping or traceroute packets with the
> > following characteristics.
> >
> > SRC=62.12.1.1  DST=10.0.1.1
> >
> > Am I right or am I right ???
> >
> > So we have a packet destined to a private address space
> > looking around the internet to contact address 10.0.1.1 ( noise ).
> >
> >
> > So let me repeat
> >
> > Who is responsible to stop or drop or kill this packet ?
> > The ISP or The firewall admin ???
> >
> 
> IMHO it is the firewall admin's responsability.
> 
> Use 'norfc1918' in the interface that connects to the net in
> '/etc/shorewall/interfaces'

NOPE 

The norfc1918 option in the interfaces file is about packets that come IN from 
NET-> to net interface .
Not about packets that go out destined to rfc1918 address space and the net...
At least it operates like that... I don't know if it was intended to operate both 
ways

The funny thing that I saw with this experiment is that when I traceroute some rfc1918 
address I get full legitimate responses from the ISP's routers out there.

I stoped them by typing a few lines to the rules file

[DROP]|[REJECT]loc net:192.168.0.0/16  all

etc

Regards

Harry...

"Please consider me as a Fool."


 



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html