On Wed, 18 Oct 2000 [EMAIL PROTECTED] wrote:
> > jeff, if someone came in on _any_ IP address whose first octet is 192, we
> > don't want to talk to them. wouldn't 255.0.0.0 be the correct thing to do?
>
> Why don't you want to talk to them? You're sure you don't want to talk
> to, say, hplb.hpl.hp.com (192.6.10.2)? Or adobe-dns.adobe.com
> (192.150.11.30)?
yes, i'm absolutely, positively fantstically, unequivocally, super-duper sure.
i don't even want to talk to support1.adobe.com (192.150.11.35).
in fact...
192.*.*.* adapted from dr. suess
=================================
i would not talk to them here or there,
i would not talk to them anywhere.
i would not talk to them for spam,
i would not talk to them, sam-i-am.
i would not talk to them on a boat
i would not talk to them, even if they were a billy goat.
i would not talk to them in the rain,
i would not talk to them on a train.
not in the dark! not in a tree!
not in a car! i hope they let me be!
i do not like them in a box
i do not like them in a fox
i do not want to talk to them in a house
i do not want to talk to them in a mouse
i do not want to talk to them here or there
i do not want to talk to them anywhere?
i hope i convinced you i don't want to talk with *anyone* whose ip address
starts with 192. i would go even farther -- i don't even want to talk to
anyone with an ip address of 19*.*.*.
did i forget to mention to you that i really don't want to talk to any ip
address that begins with 192? :)
> > we use 192.168.0.* for the internal network, but that's a different
> > device, and we don't have any chains in use for that device.
>
> The point would be to prevent spoofed packets from getting through your
> firewall on the wrong interface. What was your purpose in denying
> 192.0.0.0?
why not? if nobody comes a-knockin', nobody here wants to listen...
> A different approach (rather more controllable, but more tedious to
> setup) is to deny everything and then allow specific services or
> ip sources in.
that's what i plan to do. it'll take awhile to compile the addresses, but
in the meantime...
pete
