Re: [Shorewall-users] rfc1918

Wed, 02 Apr 2008 09:39:51 -0700 

alex wrote:
Using iptables for RFC1918 filtration really isn't the best approach in many cases. It's generally better to null-route the RFC 1918 ranges: 

        ip route add unreachable 10.0.0.0/8
        ip route add unreachable 172.16.0.0/8
        ip route add unreachable 192.168.0.0/16

and enable route filtering on your external interface(s).


This approach is not without its hazards though. Consider if you were a 
customer of an ISP who uses RFC 1918 addresses for its DHCP servers.

    Thank you very much for help Tom.
    I made follow:

1. add options 'routefilter' and 'logmartians' for external interface
   in 'interfaces' file
2. add your lines above to 'init' file (i create it self) in Shorewall
   config directory (only change 172.16.0.0/8 to 172.16.0.0/12)


     Sorry Tom but for this configuration i have one question. Where i
must to insert 'ip route del unreachable ...' commands? I try 'stop'
and 'stopped' files but they work for 'shorewall stop' but not for
'shorewall restart'. When i run 'shorewall restart' i see messages:

...
Processing /etc/shorewall/init ...
RTNETLINK answers: File exists
RTNETLINK answers: File exists
RTNETLINK answers: File exists
...

     Therefore i make conclusion that 'stop'/'stopped' don't work in
this case.



The 'stop' and 'stopped' scripts are not run by the 'restart' command. 
'restart' is exactly the same command as 'start'.



Rather than 'ip route add' use 'ip route replace' which will add the 
route if it doesn't exist but will be silent if the route is already there.


-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




Attachment:
signature.asc

Description: OpenPGP digital signature


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users





























					Reply via email to