[luau] MonMotha Firewall rules help

beesond001 at hawaii.rr.com beesond001 at hawaii.rr.com
Tue Apr 9 15:15:35 PDT 2002 

I see said the blind man...

Thanks,

Ben 

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 4/9/02, 11:28:30 AM, MonMotha <monmotha at indy.rr.com> wrote regarding Re: 
[luau] MonMotha Firewall rules help:


> This isn't a script issue, it's an iptables issue, and iptables is
> acting properly.  When you give a /8 CIDR bitmask, translating to a
> 255.0.0.0 netmask, iptables finds the proper network to apply it to.
> You blackhole 213.69.98.0/8, which is in the 213.0.0.0/8 network.
> Iptables corrects your improper terminology and takes it to the nearest
> proper network, causing the deny to affect all of the 213./8 subnet.

> --MonMotha

> Jeff Mings wrote:
> > Yes, Ben, you should be using 255.255.255.0 or /24 netmasks for the 
213.x.x.x
> > entries that you want to block.
> >
> > -Jeff
> >
> >
> > On Tuesday 09 April 2002 10:42 am, you wrote:
> >
> >>Aloha all,
> >>
> >>    I tried to go to the LyX web site today, but my firewall won't let me
> >>get there.  I was wondering if anyone could help.   Here are the
> >>particulars...
> >>
> >>I am running MonMotha's Firewall version 2.3.8-pre4 on a RH Linux ver 
7.2
> >>machine.
> >>
> >>My BLACKHOLE list contains some families of IP addresses that represent
> >>"offenders" that I got tired of seeing in my log files...  This list of
> >>BLACKHOLED addresses for my firewall is:
> >>
> >>BLACKHOLE="217.96.0.0/14 217.97.33.0/8 211.0.0.0/24 213.141.164.0/8
> >>213.29.216.0/8 213.96.0.0/18 213.69.98.0/8 210.0.0.0/24 203.0.0.0/24
> >>202.0.0.0/24 200.128.0.0/23 200.68.128.0/15 195.151.179.0/8
> >>193.251.0.0/18 193.206.80.0/12 150.244.0.0/16 146.59.0.0/16
> >>61.131.0.0/16"
> >>
> >>The site I am trying to get to is:  http://www.lyx.org and the host
> >>command returns the following:
> >>
> >>[ben at hawaii ben]$ host www.lyx.org
> >>www.lyx.org. is an alias for baywatch.lyx.org.
> >>baywatch.lyx.org. has address 213.203.58.29
> >>[ben at hawaii ben]$
> >>
> >>My initial guess is that I should be OK with my netmasks on the 
213.X.X.X
> >>addresses in the blackhole list because 213.203.X.X should not be
> >>blocked, but when I ask the iptables command what part of 213.X.X.X is
> >>really blocked I get something that makes me think otherwise.
> >>
> >>
> >>[root at router root]# /sbin/iptables -L | egrep 'Chain|213'
> >>Chain INPUT (policy DROP)
> >>DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> >>DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> >>DROP       all  --  213-96-0-0.uc.nombres.ttd.es/18  anywhere
> >>DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> >>Chain FORWARD (policy DROP)
> >>DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> >>DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> >>DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> >>DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> >>DROP       all  --  213-96-0-0.uc.nombres.ttd.es/18  anywhere
> >>DROP       all  --  anywhere             
213-96-0-0.uc.nombres.ttd.es/18
> >>DROP       all  --  213-0-0-0.uc.nombres.ttd.es/8  anywhere
> >>DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> >>Chain OUTPUT (policy ACCEPT)
> >>DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> >>DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> >>DROP       all  --  anywhere             
213-96-0-0.uc.nombres.ttd.es/18
> >>DROP       all  --  anywhere             213-0-0-0.uc.nombres.ttd.es/8
> >>[root at router root]#
> >>
> >>This almost makes me want to think that for this case, the netmask 
works
> >>left to right instead of right to left.  By this I mean that inspite of
> >>my intentions to netmask only a small portion of the 213.X.X.X family 
of
> >>addresses it appears that I may have blackholed the entire family of 
213
> >>addresses.
> >>
> >>    Can anybody verify if this is correct?  If so, what would be the best
> >>way to slice out only a small portion of addresses that I want to
> >>blackhole?
> >>
> >>Thanks in advance,
> >>
> >>Ben
> >>_______________________________________________
> >>LUAU mailing list
> >>LUAU at videl.ics.hawaii.edu
> >>http://videl.ics.hawaii.edu/mailman/listinfo/luau
> >>
> > _______________________________________________
> > LUAU mailing list
> > LUAU at videl.ics.hawaii.edu
> > http://videl.ics.hawaii.edu/mailman/listinfo/luau
> >
> >


> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau

More information about the LUAU mailing list