[luau] MonMotha Firewall rules help
MonMotha
monmotha at indy.rr.com
Tue Apr 9 14:28:30 PDT 2002
This isn't a script issue, it's an iptables issue, and iptables is
acting properly. When you give a /8 CIDR bitmask, translating to a
255.0.0.0 netmask, iptables finds the proper network to apply it to.
You blackhole 213.69.98.0/8, which is in the 213.0.0.0/8 network.
Iptables corrects your improper terminology and takes it to the nearest
proper network, causing the deny to affect all of the 213./8 subnet.
--MonMotha
Jeff Mings wrote:
> Yes, Ben, you should be using 255.255.255.0 or /24 netmasks for the 213.x.x.x
> entries that you want to block.
>
> -Jeff
>
>
> On Tuesday 09 April 2002 10:42 am, you wrote:
>
>>Aloha all,
>>
>> I tried to go to the LyX web site today, but my firewall won't let me
>>get there. I was wondering if anyone could help. Here are the
>>particulars...
>>
>>I am running MonMotha's Firewall version 2.3.8-pre4 on a RH Linux ver 7.2
>>machine.
>>
>>My BLACKHOLE list contains some families of IP addresses that represent
>>"offenders" that I got tired of seeing in my log files... This list of
>>BLACKHOLED addresses for my firewall is:
>>
>>BLACKHOLE="217.96.0.0/14 217.97.33.0/8 211.0.0.0/24 213.141.164.0/8
>>213.29.216.0/8 213.96.0.0/18 213.69.98.0/8 210.0.0.0/24 203.0.0.0/24
>>202.0.0.0/24 200.128.0.0/23 200.68.128.0/15 195.151.179.0/8
>>193.251.0.0/18 193.206.80.0/12 150.244.0.0/16 146.59.0.0/16
>>61.131.0.0/16"
>>
>>The site I am trying to get to is: http://www.lyx.org and the host
>>command returns the following:
>>
>>[ben at hawaii ben]$ host www.lyx.org
>>www.lyx.org. is an alias for baywatch.lyx.org.
>>baywatch.lyx.org. has address 213.203.58.29
>>[ben at hawaii ben]$
>>
>>My initial guess is that I should be OK with my netmasks on the 213.X.X.X
>>addresses in the blackhole list because 213.203.X.X should not be
>>blocked, but when I ask the iptables command what part of 213.X.X.X is
>>really blocked I get something that makes me think otherwise.
>>
>>
>>[root at router root]# /sbin/iptables -L | egrep 'Chain|213'
>>Chain INPUT (policy DROP)
>>DROP all -- 213-0-0-0.uc.nombres.ttd.es/8 anywhere
>>DROP all -- 213-0-0-0.uc.nombres.ttd.es/8 anywhere
>>DROP all -- 213-96-0-0.uc.nombres.ttd.es/18 anywhere
>>DROP all -- 213-0-0-0.uc.nombres.ttd.es/8 anywhere
>>Chain FORWARD (policy DROP)
>>DROP all -- 213-0-0-0.uc.nombres.ttd.es/8 anywhere
>>DROP all -- anywhere 213-0-0-0.uc.nombres.ttd.es/8
>>DROP all -- 213-0-0-0.uc.nombres.ttd.es/8 anywhere
>>DROP all -- anywhere 213-0-0-0.uc.nombres.ttd.es/8
>>DROP all -- 213-96-0-0.uc.nombres.ttd.es/18 anywhere
>>DROP all -- anywhere 213-96-0-0.uc.nombres.ttd.es/18
>>DROP all -- 213-0-0-0.uc.nombres.ttd.es/8 anywhere
>>DROP all -- anywhere 213-0-0-0.uc.nombres.ttd.es/8
>>Chain OUTPUT (policy ACCEPT)
>>DROP all -- anywhere 213-0-0-0.uc.nombres.ttd.es/8
>>DROP all -- anywhere 213-0-0-0.uc.nombres.ttd.es/8
>>DROP all -- anywhere 213-96-0-0.uc.nombres.ttd.es/18
>>DROP all -- anywhere 213-0-0-0.uc.nombres.ttd.es/8
>>[root at router root]#
>>
>>This almost makes me want to think that for this case, the netmask works
>>left to right instead of right to left. By this I mean that inspite of
>>my intentions to netmask only a small portion of the 213.X.X.X family of
>>addresses it appears that I may have blackholed the entire family of 213
>>addresses.
>>
>> Can anybody verify if this is correct? If so, what would be the best
>>way to slice out only a small portion of addresses that I want to
>>blackhole?
>>
>>Thanks in advance,
>>
>>Ben
>>_______________________________________________
>>LUAU mailing list
>>LUAU at videl.ics.hawaii.edu
>>http://videl.ics.hawaii.edu/mailman/listinfo/luau
>>
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau
>
>
More information about the LUAU
mailing list