[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: "bad" IP addresses <newbie>



You might want to also reference the following RFC:
ftp://ftp.rfc-editor.org/in-notes/rfc3330.txt
This is a list of special use IPv4 addresses.
Also, contrary to popular belief, Microsoft did not invent the use of the
169.254/16 block for auto-config if there is no DHCP server.  Apple and
other vendors use this block as well.  It is defined in this RFC as the Link
Local block:
169.254.0.0/16 - This is the "link local" block.  It is allocated for
   communication between hosts on a single link.  Hosts obtain these
   addresses by auto-configuration, such as when a DHCP server may not
   be found.
>From this RFC, here is the current list of special addresses:
Address Block             Present Use                       Reference
   ---------------------------------------------------------------------
   0.0.0.0/8            "This" Network                 [RFC1700, page 4]
   10.0.0.0/8           Private-Use Networks                   [RFC1918]
   14.0.0.0/8           Public-Data Networks         [RFC1700, page 181]
   24.0.0.0/8           Cable Television Networks                    --
   39.0.0.0/8           Reserved but subject
                           to allocation                       [RFC1797]
   127.0.0.0/8          Loopback                       [RFC1700, page 5]
   128.0.0.0/16         Reserved but subject
                           to allocation                             --
   169.254.0.0/16       Link Local                                   --
   172.16.0.0/12        Private-Use Networks                   [RFC1918]
   191.255.0.0/16       Reserved but subject
                           to allocation                             --
   192.0.0.0/24         Reserved but subject
                           to allocation                             --
   192.0.2.0/24         Test-Net
   192.88.99.0/24       6to4 Relay Anycast                     [RFC3068]
   192.168.0.0/16       Private-Use Networks                   [RFC1918]
   198.18.0.0/15        Network Interconnect
                           Device Benchmark Testing            [RFC2544]
   223.255.255.0/24     Reserved but subject
                           to allocation                             --
   224.0.0.0/4          Multicast                              [RFC3171]
   240.0.0.0/4          Reserved for Future Use        [RFC1700, page 4]
Some of these such as 0/8, RFC 1918 address blocks, 127/8, 169.254/16,
192.0.2/24, 224/3 I would block.  Otherwise, unless you want to watch to see
if the other blocks get allocated, I would stick with Daniel's advice.
<> Jim
-----Original Message-----
From: s c o t t [mailto:spaceacademy@hotmail.com] 
Sent: Tuesday, April 15, 2003 7:08 PM
To: pf@benzedrine.cx
Subject: "bad" IP addresses <newbie>
Hello,
I have been reading through the mailing list archives, the manual pages, the
PF HOWTO, and several sites, including but not limited to those listed 
below.
And I have a questions about the rule (or rules) most of these have related 
to what are non-routable IP addresses (private, spoofed, etc.).
Here is a sampling of what I have found:
PF HOWTO
http://www.inebriated.demon.nl/pf-howto/html/node3.html#SECTION0003100000000
0000000
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
255.255.255.255/32
http://www.muine.org/~hoang/pf.txt
none specific to "bad" IP's
RFC 1918
http://www.faqs.org/rfcs/rfc1918.html
10/8
172.16/12
192.168/16
http://www.onlamp.com/pub/a/bsd/2002/04/11/securing.html
0.0.0.0/8
10.0.0.0/8
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.2.0/24
192.168.0.0/16
204.152.64.0/23
224.0.0.0/3
http://erwan.lemonnier.free.fr/databites/openbsd3.0-firewall-pf-nat-dhcp.htm
l
127.0.0.1/8
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
255.255.255.255/32
http://mlowe.phpwebhosting.com/pages/openbsd.html
127.0.0.1/8
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
http://www.obsd.pronym.org/wiki/index.php/ResidentialDslOrCable
0.0.0.0/8
10.0.0.0/8
20.20.20.0/24
127.0.0.0/8
169.254.0.0/16
172.16.0.0/16
192.0.2.0/24
192.168.0.0/16
255.255.255.255/32
Obviously there are some IP addresses that are not in every pf.conf and I 
wonder what the significance of these is? Specifically those that are not 
described in RFC 1918. Are there known exploits that are described 
somewhere?
Are these better handled with antispoof for a particular interface? The man 
page seems to make me believe this but again I am just flying by the seat of
my pants...
Cheers,
scott
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail