rfc1918
Hi all, I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? Cheers, Steve -- I like Linux. I used it to download OpenBSD!!!
Re: rfc1918
On Thu, Jan 22, 2009 at 1:37 PM, Steve Laurie st...@foo-unix.org wrote: I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? An RFC that says they shouldn't be routeable over the Internet doesn't mean that they aren't. I've seen plenty of cases where a misconfigured router has sent RFC1918 packets out onto the net. Blocking them at your border is cheap, so it makes sense to do so. Tet -- Perl is like vise grips. You can do anything with it but it is the wrong tool for every job. -- Bruce Eckel
Re: rfc1918
On 22 January 2009 c. 16:37:52 Steve Laurie wrote: Hi all, I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? - Home Internet provider give you public IP but their internal network is still one of described in RFC 1918; - OpenBSD machine is bridging some traffic; - etc. And when you set up such rule you can control flow of matched packets (tag them, label them, etc); otherwise you cannot. -- WBR, Pereresus ne Vlezaet Buggy
Re: rfc1918
On 2009-01-22, Steve Laurie st...@foo-unix.org wrote: Hi all, I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? They don't usually appear in full internet routing tables, but that's not always the case, sometimes they do show up. And even if you can't send packets _to_ them, they can still be used as a source address on malicious packets, a lot of providers don't do BCP38 ingress filtering.
Re: rfc1918
Stevoid wrote: I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? If you have a cable modem, run tcpdump on your ext_if for a few minutes some time. _azure -- View this message in context: http://www.nabble.com/rfc1918-tp21604345p21608318.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: rfc1918
On Thu, Jan 22, 2009 at 8:37 AM, Steve Laurie st...@foo-unix.org wrote: I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? Even if they aren't routed over the Internet, they may well be present within the local network environment provided by your ISP. The miscreant next door is just as dangerous (potentially) as the miscreant on the other side of the planet. Besides, it's a cheap bit of protection, so why not do it? -- Dave K Unix Systems Network Administrator Mount Laurel NJ
