[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

blocking private address ranges



I see a lot of sample rulesets making a point to block RFC 1918 address ranges - but I have to ask, is it really feasible that packets with these source addresses would really reach anyone's interface? Unless the firewall is connected to a network addressed as such, doesn't simple routing by definition prevent such a possibility? Would these packets even feasibly be routed to the network you are trying to protect?

Example:

forbidden="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, \
        0.0.0.0/32, 255.255.255.255/32 }"
block in log quick on $ext_if from $forbidden to $homenet

TIA

DS