[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: reconsidering default exit policy
On Fri, Mar 11, 2005 at 11:02:44AM +0100, Valient Gough wrote:
> Geoffrey Goodell wrote:
>># reject private networks (no surprises!)
>>ExitPolicy reject 0.0.0.0/255.0.0.0:*
>>ExitPolicy reject 127.0.0.0/255.0.0.0:*
>>ExitPolicy reject 10.0.0.0/255.0.0.0:*
>>ExitPolicy reject 172.16.0.0/255.240.0.0:*
>>ExitPolicy reject 192.168.0.0/255.255.0.0:*
>>ExitPolicy reject 169.254.0.0/255.255.0.0:*
> Also, is the list of private networks above exhaustive?
AFAIK, it would.
> I took my list of networks to block from my firewall list (from
> firehol.sourceforge.net):
> # IANA Reserved IPv4 address space
> # Suggested by Fco.Felix Belmonte <ffelix@xxxxxxxxxxxxx>
> # Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@xxxxxxxxxxxxxxxxxxx>
> # Further optimized and reduced by http://www.vergenet.net/linux/aggregate/
> # The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.
> RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8
> 27.0.0.0/8 31.0
> .0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7
> 76.0.0.
> 0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7
> 176.0.0.
> 0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4"
At first sight, this looks like a BOGON list; these are IP ranges that
aren't allocated to anyone NOW (plus "special use"). So if anyone uses
these addresses NOW, it is a nasty spoofer. But these addresses can
get allocated in the future, it is thus *critical* for
interoperability that these bogon filters be used ONLY if the filter
*will* get updated *often* automatically, e.g. from
http://www.cymru.com/Bogons/ . And never in "configure once and don't
touch it" mode.
I might be a good idea to filter out multicast space, though. That's
224.0.0.0/4. And other "special use" spaces:
0.0.0.0/8 "this" network - only for source,
never destination
10.0.0.0/8 covered
127.0.0.0/8 covered
169.254.0.0/16 covered
172.16.0.0/12 covered
192.0.2.0/24 reserved for documentation and examples
192.168.0.0/16 covered
198.18.0.0/15 reserved for benchmarks
240.0.0.0/4 "reserved for future use", and listed
in the "martian" list; I suppose one
doesn't expect assignments from this
space before a long time, but it could
happen, I guess. Or the space could be
used for a totally different use.
(multicast plus reserved aggregate to 224.0.0.0/3)
TCP connections to 6to4 auto-router space (192.88.99.0/24) don't make
much sense either; we can filter those.
--
Lionel