68.0.0.0/8 illegal?

Thu Apr 26 01:26:19 EDT 2001

On Thu, Apr 26, 2001 at 12:54:33AM -0400, David Kramer wrote:
> I built my rc.firewall from Robert Ziegler's site
> (http://www.linux-firewall-tools.com/). I noticed a lot of lines in it
> in this section:
> 
>     # refuse addresses defined as reserved by the IANA
>     # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
>     # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
>     # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
> ...
>     ipchains -A input  -i $EXTERNAL_INTERFACE  \
>              -s 58.0.0.0/7 -j DENY -l
>     ipchains -A input  -i $EXTERNAL_INTERFACE  \
>              -s 60.0.0.0/8 -j DENY -l
>     ipchains -A input  -i $EXTERNAL_INTERFACE  \
>              -s 65.0.0.0/8 -j DENY -l
>     ipchains -A input  -i $EXTERNAL_INTERFACE  \
>              -s 66.0.0.0/8 -j DENY -l
>     ipchains -A input  -i $EXTERNAL_INTERFACE  \
>              -s 67.0.0.0/8 -j DENY -l
>     ipchains -A input  -i $EXTERNAL_INTERFACE  \
>              -s 68.0.0.0/8 -j DENY -l
> ...
> 
> The /var/log/messages lines look like:
> Apr 22 04:02:47 kramer kernel: Packet log: input DENY eth0 PROTO=6
> 66.92.67.47:\
> 2996 24.91.178.175:25 L=44 S=0x00 I=26223 F=0x4000 T=56 SYN (#32)
[snip]
> So I'm thinking since these addresses seem to whois to real ISP's, that
> these are valid addresses that I should NOT be blocking.

That's correct.

> On the other hand, I think the SYN flag either means they initiated the
> conversation, or that they are trying to do a syn flood on my box. 
> Given that I only see like 10 in a row, I doubt the latter.

Poor guy at dsl092-067-047.bos1.dsl.speakeasy.net just wants to talk
SMTP to your box. :)
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).