Re: Arbitrary Netmasks
Hi, (removed netfilter-devel from the headers, this is not a development Q) Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? They are used in practise. I have been using them with ipfwadm, and I am using them with iptables. What I use them for, is statistical multiplexing based on one or more of the low bits (but not the lowest!) of IP addresses. For example, I have a dual-processor system with two squid processes, and want to distribute a number of incoming clients evenly (and deterministically) over the two squid processes. For godgiven reasons, under light load, the even client IPs are preferred over the odd client IPs. To get a good distribution for both light load and full load, I look at the second lowest bit of the client IP address to determine where to REDIRECT to, like this: iptables -t nat -A PREROUTING -s 0.0.0.0/0.0.0.2 -j REDIRECT --to-port 1234 iptables -t nat -A PREROUTING -s 0.0.0.2/0.0.0.2 -j REDIRECT --to-port 1235 Another real world example I have seen in use in Cisco access-lists, where the noncontigous mask works just like in iptables, is to pick out the same local ip in a range of subnets. Imagine you have a number of LANs with IP addresses 10.23.x.y/16, and y==1 is your default gateway in every LAN. Given 10.23.0.1/255.255.0.255, you have a single-rule expression for all gateways in my LANs, which is preferrable (if you manage to keep to the scheme!) to a sequential list of rules, one per LAN. best regards Patrick
Re: Arbitrary Netmasks
On Tuesday 28 May 2002 15:18, Thomas Heinz wrote: Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Yes, this is the fastest method when matching filter expressions.. Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? Not in real life networks, but such masks are useful in certain types of expressions, for example load balancing based on destination, or as wildcard matches for matching all your routers / servers / whatever assuming you have a well structured addressing scheme in your own networks.. Regards Henrik
Re: Arbitrary Netmasks
I've always wondered about the concept of useing wierd netmasks on private internal networks, just to thourouly confuse anyone who actually breaks into them (obsurity isn't security by itself, but any little bit you can add on and anything you can do that will break standard tools) never had a chance to actually implement it however :-) I think this wird netmask could on bigger firm's have an very simple explanation. Example: Firm with 2 Floors and 4 Subunits each subunit have an router with 100MBit and the are numbered serial when they was created. 1 Floor 10.0.0.0/16 10.2.0.0/24 2 Floor 10.1.0.0/16 10.3.0.0/24 Now the 100MBit backbone is replaced with fibber optik and one router per floor. And the admin is to lacy to renumber 2 whole units. This is an simple example but i think from these direction it come. That it is sometimes easyer to use wired netmask insteed of two or more routing entry's and agregation wasn't choice because of change time. Cu Thomas smime.p7s Description: S/MIME Cryptographic Signature
Re: Arbitrary Netmasks
On Tue, 28 May 2002, Stephen Frost wrote: * Thomas Heinz ([EMAIL PROTECTED]) wrote: Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? I'm pretty confident they're not valid and don't make sense. But something like IP/255.255.255.192 is still valid and is probably used quite a lot. At least i use it. It's easy to use a $NETMASK variable in scripts for this. Joost
Re: Arbitrary Netmasks
Hi Joost You wrote: But something like IP/255.255.255.192 is still valid and is probably used quite a lot. At least i use it. It's easy to use a $NETMASK variable in scripts for this. IP/255.255.255.192 == IP/26 Thomas
Re: Arbitrary Netmasks
I usually use: iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP to stop routing of broadcasted packets. This works assuming you only have 256 sized classes. At 15:18 28-05-2002 +0200, Thomas Heinz wrote: Hi Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? Thomas
Re: Arbitrary Netmasks
Which is not generally a valid thing to assume.. the .255 and/or .0 address may be in use on larger networks, especially if addresses are assigned dynamically using a large DHCP scope.. On Tuesday 28 May 2002 16:07, Filipe Almeida wrote: I usually use: iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP to stop routing of broadcasted packets. This works assuming you only have 256 sized classes.
Re: Arbitrary Netmasks
True. I attach interface (-i/-o) matches so I will only filter my networks. I wrote those lines of the top of my head so I forgot the -i/-o. At 20:45 28-05-2002 +0200, Henrik Nordstrom wrote: Which is not generally a valid thing to assume.. the .255 and/or .0 address may be in use on larger networks, especially if addresses are assigned dynamically using a large DHCP scope.. On Tuesday 28 May 2002 16:07, Filipe Almeida wrote: I usually use: iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP to stop routing of broadcasted packets. This works assuming you only have 256 sized classes.
Re: Arbitrary Netmasks
True. I attach interface (-i/-o) matches so I will only filter my networks. I wrote those lines of the top of my head so I forgot the -i/-o. At 20:45 28-05-2002 +0200, Henrik Nordstrom wrote: Which is not generally a valid thing to assume.. the .255 and/or .0 address may be in use on larger networks, especially if addresses are assigned dynamically using a large DHCP scope.. On Tuesday 28 May 2002 16:07, Filipe Almeida wrote: I usually use: iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP to stop routing of broadcasted packets. This works assuming you only have 256 sized classes.
Arbitrary Netmasks
Hi Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? Thomas
Re: Arbitrary Netmasks
* Thomas Heinz ([EMAIL PROTECTED]) wrote: Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? I'm pretty confident they're not valid and don't make sense. Stephen msg01078/pgp0.pgp Description: PGP signature
Re: Arbitrary Netmasks
On Tue, 28 May 2002, Stephen Frost wrote: * Thomas Heinz ([EMAIL PROTECTED]) wrote: Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? I'm pretty confident they're not valid and don't make sense. But something like IP/255.255.255.192 is still valid and is probably used quite a lot. At least i use it. It's easy to use a $NETMASK variable in scripts for this. Joost
Re: Arbitrary Netmasks
Hi Joost You wrote: But something like IP/255.255.255.192 is still valid and is probably used quite a lot. At least i use it. It's easy to use a $NETMASK variable in scripts for this. IP/255.255.255.192 == IP/26 Thomas
Arbitrary Netmasks
Hi Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? Thomas
Re: Arbitrary Netmasks
* Thomas Heinz ([EMAIL PROTECTED]) wrote: Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? I'm pretty confident they're not valid and don't make sense. Stephen msg03162/pgp0.pgp Description: PGP signature
Re: Arbitrary Netmasks
On Tue, 28 May 2002, Thomas Heinz wrote: Hi Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? i recall wondering about non-contiguous netmasks a number of years ago, and asking someone more knowledgeable than i about them. he said that, while *technically* there's nothing wrong with them and that, *technically* they don't violate any rules, there's no guarantee that router vendors will support them since there's so little rationale for them. anyway, my $0.02, for what it's worth. rday
Re: Arbitrary Netmasks
* Joost Remijn ([EMAIL PROTECTED]) wrote: On Tue, 28 May 2002, Stephen Frost wrote: * Thomas Heinz ([EMAIL PROTECTED]) wrote: Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? I'm pretty confident they're not valid and don't make sense. But something like IP/255.255.255.192 is still valid and is probably used quite a lot. At least i use it. It's easy to use a $NETMASK variable in scripts for this. Sure, and that can be represented as IP/26 .. Stephen msg03169/pgp0.pgp Description: PGP signature
Re: Arbitrary Netmasks
Hi Joost You wrote: But something like IP/255.255.255.192 is still valid and is probably used quite a lot. At least i use it. It's easy to use a $NETMASK variable in scripts for this. IP/255.255.255.192 == IP/26 Thomas .
Re: Arbitrary Netmasks
On Tuesday 28 May 2002 11:06 pm, Erik C Elmshauser wrote: Hi, this is my first post to the list. I agree with Stephen, these netmasks are (as far as I can tell) meaningless. Because of the way that you compute network addresses by comparing a mask to an address the 255.255.0.128 mask just will not do what you expect. I would say that depends rather a lot on what it is you expect So long as you expect the right thing, these rather weird netmasks (sorry, Ramin, can't think of a better name for them) will work just the way they're supposed to. For more info check out: ftp://ftp.isi.edu/in-notes/rfc1878.txt No, that RFC deals only with netmasks following the standard convention of all the 1 bits on the left and all the 0 bits on the right. Here we're talking about masks where the 1s and 0s can be mixed up a whole lot more than that. They work just the same as 'normal' netmasks - you do a bitwise AND between the IP address and the mask, exclusive-OR with the network address, and if the answer's zero, the IP address belongs within the network range. If it's not, then it doesn't. None of this should be taken to imply that I'm aware of anyone having a good reason for actually using these strange things though :-) Antony.