[luau] MonMotha Firewall rules help

beesond001 at hawaii.rr.com beesond001 at hawaii.rr.com
Tue Apr 9 13:42:50 PDT 2002 

Aloha all,

	I tried to go to the LyX web site today, but my firewall won't let me 
get there.  I was wondering if anyone could help.   Here are the 
particulars...

I am running MonMotha's Firewall version 2.3.8-pre4 on a RH Linux ver 7.2 
machine.  

My BLACKHOLE list contains some families of IP addresses that represent 
"offenders" that I got tired of seeing in my log files...  This list of 
BLACKHOLED addresses for my firewall is:

BLACKHOLE="217.96.0.0/14 217.97.33.0/8 211.0.0.0/24 213.141.164.0/8 
213.29.216.0/8 213.96.0.0/18 213.69.98.0/8 210.0.0.0/24 203.0.0.0/24 
202.0.0.0/24 200.128.0.0/23 200.68.128.0/15 195.151.179.0/8 
193.251.0.0/18 193.206.80.0/12 150.244.0.0/16 146.59.0.0/16 
61.131.0.0/16"

The site I am trying to get to is:  http://www.lyx.org and the host 
command returns the following:

[ben at hawaii ben]$ host www.lyx.org
www.lyx.org. is an alias for baywatch.lyx.org.
baywatch.lyx.org. has address 213.203.58.29
[ben at hawaii ben]$

My initial guess is that I should be OK with my netmasks on the 213.X.X.X 
addresses in the blackhole list because 213.203.X.X should not be 
blocked, but when I ask the iptables command what part of 213.X.X.X is 
really blocked I get something that makes me think otherwise. 


[root at router root]# /sbin/iptables -L | egrep 'Chain|213'
Chain INPUT (policy DROP)
DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
DROP       all  --  213-96-0-0.uc.nombres.ttd.es/18  anywhere
DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
Chain FORWARD (policy DROP)
DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
DROP       all  --  213-96-0-0.uc.nombres.ttd.es/18  anywhere
DROP       all  --  anywhere             213-96-0-0.uc.nombres.ttd.es/18
DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
Chain OUTPUT (policy ACCEPT)
DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
DROP       all  --  anywhere             213-96-0-0.uc.nombres.ttd.es/18
DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
[root at router root]#

This almost makes me want to think that for this case, the netmask works 
left to right instead of right to left.  By this I mean that inspite of 
my intentions to netmask only a small portion of the 213.X.X.X family of 
addresses it appears that I may have blackholed the entire family of 213 
addresses.  

	Can anybody verify if this is correct?  If so, what would be the best 
way to slice out only a small portion of addresses that I want to 
blackhole?  

Thanks in advance,

Ben

More information about the LUAU mailing list