[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] ipchains adding to rc.local

Subject: [cobalt-security] ipchains adding to rc.local
From: Scott F <scott_falco@xxxxxxxxx>
Date: Wed, 25 Jul 2001 23:11:35 -0700 (PDT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

>(This is probably OT, but I'm willing to 
>keep it on-list so long as somebody finds 
>it at least interesting...)

I don't know... Personally I find it completely
interesting and valuable security information. I think
living under a false sense of security is about the
worse thing anyone could do as an admin (thinking
something is working, when it's really not). So for me
at least, this is definitely a learning experience in
regards to security.

>Keep in mind that you can't use the network address, 
>203.232.0.0, or the broadcast address, 
>03.232.255.255, for hosts.  Likewise, specifying a 
>netmask of 24 says that you have 256-2 addresses 
>within the network, and specifying a netmask of 32 
>narrows it down to 1 IP address, since all the bits 
>are in the "network" side of the address.

Perfect example as I've been listing ranges (although
be they few) as 203.232.255.255/32 (again for example)
thinking I was blocking all IP's from 203.232.0.0
through 203.232.255.255 in doing so. But this makes
sense and obviously I've been very wrong with my prior
method of listing these ranges (that'll change
tonight).

So the correct way, if I understand this correctly,
would be to enter the range as 203.232.0.0/16.

-OR- if one just wanted to block the last 8-bit range,
it would be entered as 203.232.0.0/24 (am I correct?)

So if you write it with a /24 designation, it's only
blocking IP's ranging from 203.232.xxx.0 through
230.232.xxx.255.

>Separately, I seem to recall that IPs starting with
>numbers above 192 are allocated in Class C blocks of 
>256 addresses (24-bit netmasks).  Given that, your 
>firewall would be blocking 256 contiguous Class C 
>blocks with a subnet mask of 16 bits.  Are you sure 
>that's what you want to do?

Actually not with too many IP ranges - but there are a
few chronic problem children out there just need wiped
off the face of the globe. For these ghouls I have no
problem blocking out entire sections of (oh lets say
China) to keep their mischief at bay. But I do want to
make sure I fully understand this point so I don't go
shooting myself in the foot by mistake. 

I'm not quite sure if I understand what the difference
is between IP ranges under 192 and those above it..<?>
You're saying that basically any range above 192 would
be more segregated and not necessarily from one
general region or do I possibly have it backwards?
What you're saying is that 203.232.150.125 could
belong to a system in China and yet 203.232.150.225
could be mapped to a system in another part of the
world (correct?) But if I perform a lookup on a
particalr range (203.232.) and it shows 203.232.0.0 -
203.232.255.255 all mapped to the region I'm trying to
block, it would be safe to use the /16-bit
designation..<?>

Thanks for the insight! I truly have learned some
valuable information this evening with this
discussion. It makes much more sense now after your
explanation.

Regards!
Scott F

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Follow-Ups:
- Re: [cobalt-security] ipchains adding to rc.local
  - From: Ted Behling

Prev by Date: Re: [cobalt-security] ipchains adding to rc.local
Next by Date: Re: [cobalt-security] ipchains adding to rc.local
Previous by thread: Re: [cobalt-security] ipchains adding to rc.local
Next by thread: Re: [cobalt-security] ipchains adding to rc.local

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index