On 05/11/2010 06:30 AM, Martin Waschbuesch wrote:
Hi,
I just noticed that firewall.sh, at least the version in the cent50 scripts
which I use, contains the following section:
## Drop outside packets with local addresses - anti-spoofing measure
iptables -A INPUT -s $MYIP -i ! lo -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
#iptables -A INPUT -s 10.0.0.0/8 -i ! lo -j DROP
#iptables -A INPUT -s 192.168.0.0/16 -i ! lo -j DROP
iptables -A INPUT -s 224.0.0.0/4 -i ! lo -j DROP
iptables -A INPUT -s 0.0.0.0/8 -i ! lo -j DROP
iptables -A INPUT -s 255.255.255.255 -i ! lo -j DROP
iptables -A INPUT -s 169.254.0.0/16 -i ! lo -j DROP
iptables -A INPUT -s 221.240.102 -i ! lo -j DROP
iptables -A INPUT -s 203.215.94.193 -i ! lo -j DROP
iptables -A INPUT -s 218.71.137.68 -i ! lo -j DROP
#
Now, I just wondered why the private class A& C networks are listed, if only
as optional, and the class B variant is not? E.g.
#iptables -A INPUT -s 172.16.0.0/8 -i ! lo -j DROP
Likewise, the multicast space is excluded (224.0.0.0/4) while the class E test
space is not. E.g.
iptables -A INPUT -s 240.0.0.0/4 -i ! lo -j DROP
The other sections I all understand (e.g. loopback, APIPA, current network,
etc.), but then there are some individual addresses that I do not recognize
again:
iptables -A INPUT -s 221.240.102 -i ! lo -j DROP
iptables -A INPUT -s 203.215.94.193 -i ! lo -j DROP
iptables -A INPUT -s 218.71.137.68 -i ! lo -j DROP
Are these known troublemakers or some other special addresses? If so,
personally, I'd prefer to not have individual IP address excludes in the
firewall.sh script per default. I mean, those addresses *could* be reassigned
and serve a different / legit purpose at some point in the future.
Anyway, I included a slightly modified script that includes description for the
reserved / protected address spaces and adds the missing two I mentioned above.
Thanks,
Martin
Thanks for the changes Martin. The firewall script is something that has
been on the back-burner to be addressed. I'm focused on some other
aspects at this time, so if you'd like to come over to the development
list and work on the firewall script that would be great (disclaimer - I
don't use the firewall.sh script myself - it's provided as a convenience
for those who may not want/be able to write their own firewall script,
so bear this in mind).
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
