[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: reconsidering default exit policy



On Fri, Mar 11, 2005 at 11:02:44AM +0100, Valient Gough wrote:
> Geoffrey Goodell wrote:
>># reject private networks (no surprises!)
>>ExitPolicy reject 0.0.0.0/255.0.0.0:*
>>ExitPolicy reject 127.0.0.0/255.0.0.0:*
>>ExitPolicy reject 10.0.0.0/255.0.0.0:*
>>ExitPolicy reject 172.16.0.0/255.240.0.0:*
>>ExitPolicy reject 192.168.0.0/255.255.0.0:*
>>ExitPolicy reject 169.254.0.0/255.255.0.0:*

> Also, is the list of private networks above exhaustive?

AFAIK, it would.

> I took my list of networks to block from my firewall list (from
> firehol.sourceforge.net):

> # IANA Reserved IPv4 address space
> # Suggested by Fco.Felix Belmonte <ffelix@xxxxxxxxxxxxx>
> # Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@xxxxxxxxxxxxxxxxxxx>
> # Further optimized and reduced by http://www.vergenet.net/linux/aggregate/
> # The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.
> RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8
> 27.0.0.0/8 31.0
> .0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7
> 76.0.0.
> 0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7
> 176.0.0.
> 0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4"

At first sight, this looks like a BOGON list; these are IP ranges that
aren't allocated to anyone NOW (plus "special use"). So if anyone uses
these addresses NOW, it is a nasty spoofer. But these addresses can
get allocated in the future, it is thus *critical* for
interoperability that these bogon filters be used ONLY if the filter
*will* get updated *often* automatically, e.g. from
http://www.cymru.com/Bogons/ . And never in "configure once and don't
touch it" mode.

I might be a good idea to filter out multicast space, though. That's
224.0.0.0/4. And other "special use" spaces:

            0.0.0.0/8		"this" network - only for source,
				never destination
            10.0.0.0/8		covered
            127.0.0.0/8		covered
            169.254.0.0/16	covered
            172.16.0.0/12	covered
            192.0.2.0/24	reserved for documentation and examples
            192.168.0.0/16	covered
            198.18.0.0/15	reserved for benchmarks
            240.0.0.0/4		"reserved for future use", and listed
	                        in the "martian" list; I suppose one
				doesn't expect assignments from this
				space before a long time, but it could
				happen, I guess. Or the space could be
				used for a totally different use.

(multicast plus reserved aggregate to 224.0.0.0/3)

TCP connections to 6to4 auto-router space (192.88.99.0/24) don't make
much sense either; we can filter those.

-- 
Lionel