Re: [vox-tech] ipchains/firewall question

Wed, 18 Oct 2000 13:25:09 -0700 

On Wed, 18 Oct 2000, Peter Jay Salzman wrote:

> i'm writing some ipchains rules for our cluster.  since a mistake would mean
> bringing the cluster down to a halt and interrupting programs that have been
> running for weeks, i just want to make sure everything is ok before i
> implement it.  can't have too many eyes.
> 
> here's topology:
> 
> 
> ext network ----> 169.237.44.88 (eth0)         int network
>                      wulfgar                   192.168.0.1
>                   192.168.0.100 (eth1)  -----> 192.168.0.2
>                                                192.168.0.3
>                                                   ...
> 
> 
> if i wanted to restrict 192.*.*.* from entering the internal network (all
> protocols, all ports), what i think is correct is:
> 
> ipchains -A input -s 192.0.0.0/255.0.0.0 -i eth0 -j DENY

Remember that you are "appending" (-A) to the chain, so as long as there
are no accept rules already in the chain to override this, it should
work.  The syntax looks okay, but then ipchains syntax is not native for
me.

> i think this is right, but the consequences of it being wrong are pretty
> harsh.  anyone see anything wrong?

I would change the source spec.  See below.

> 
> when you have an ip address like 192.0.0.0, does that automatically imply a
> netmask of 255.0.0.0?   (i was wondering about this for the tcp wrappers as
> well).

192.0.0.0/255.0.0.0 falls within the 192.0.0.0-223.255.255.255 "Class C"
address range which is supposed to use 255.255.255.0 masks, but nobody
pays much attention to that in real routing anymore.  That is, the
InterNIC will probably not assign you more than 256 addresses in a block
in that range, but they may assign less and you may elect to subdivide the
block you get further for your own routing purposes.

By blocking 192.0.0.0/255.0.0.0 you are almost certainly blocking some
valid public ip addresses, since the class C private addresses are limited
to 256 networks of 256 hosts each, in the range 192.168.x.y.  You probably
want to deny 192.168.0.0/255.255.255.0.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<[EMAIL PROTECTED]>        Basics: ##.#.       ##.#.  Live Go...
Work:<[EMAIL PROTECTED]>              Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------

Reply via email to