[luau] MonMotha Firewall rules help

Jeff Mings jeffm at lava.net
Tue Apr 9 13:50:12 PDT 2002 

Yes, Ben, you should be using 255.255.255.0 or /24 netmasks for the 213.x.x.x 
entries that you want to block.

-Jeff


On Tuesday 09 April 2002 10:42 am, you wrote:
> Aloha all,
>
> 	I tried to go to the LyX web site today, but my firewall won't let me
> get there.  I was wondering if anyone could help.   Here are the
> particulars...
>
> I am running MonMotha's Firewall version 2.3.8-pre4 on a RH Linux ver 7.2
> machine.
>
> My BLACKHOLE list contains some families of IP addresses that represent
> "offenders" that I got tired of seeing in my log files...  This list of
> BLACKHOLED addresses for my firewall is:
>
> BLACKHOLE="217.96.0.0/14 217.97.33.0/8 211.0.0.0/24 213.141.164.0/8
> 213.29.216.0/8 213.96.0.0/18 213.69.98.0/8 210.0.0.0/24 203.0.0.0/24
> 202.0.0.0/24 200.128.0.0/23 200.68.128.0/15 195.151.179.0/8
> 193.251.0.0/18 193.206.80.0/12 150.244.0.0/16 146.59.0.0/16
> 61.131.0.0/16"
>
> The site I am trying to get to is:  http://www.lyx.org and the host
> command returns the following:
>
> [ben at hawaii ben]$ host www.lyx.org
> www.lyx.org. is an alias for baywatch.lyx.org.
> baywatch.lyx.org. has address 213.203.58.29
> [ben at hawaii ben]$
>
> My initial guess is that I should be OK with my netmasks on the 213.X.X.X
> addresses in the blackhole list because 213.203.X.X should not be
> blocked, but when I ask the iptables command what part of 213.X.X.X is
> really blocked I get something that makes me think otherwise.
>
>
> [root at router root]# /sbin/iptables -L | egrep 'Chain|213'
> Chain INPUT (policy DROP)
> DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> DROP       all  --  213-96-0-0.uc.nombres.ttd.es/18  anywhere
> DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> Chain FORWARD (policy DROP)
> DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> DROP       all  --  213-96-0-0.uc.nombres.ttd.es/18  anywhere
> DROP       all  --  anywhere             213-96-0-0.uc.nombres.ttd.es/18
> DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> Chain OUTPUT (policy ACCEPT)
> DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> DROP       all  --  anywhere             213-96-0-0.uc.nombres.ttd.es/18
> DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> [root at router root]#
>
> This almost makes me want to think that for this case, the netmask works
> left to right instead of right to left.  By this I mean that inspite of
> my intentions to netmask only a small portion of the 213.X.X.X family of
> addresses it appears that I may have blackholed the entire family of 213
> addresses.
>
> 	Can anybody verify if this is correct?  If so, what would be the best
> way to slice out only a small portion of addresses that I want to
> blackhole?
>
> Thanks in advance,
>
> Ben
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau

More information about the LUAU mailing list