|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Adrian Buxton (Adrian.Buxton
team.ozemail.com.au)Date: Wed Jun 26 2002 - 23:06:31 CDT
You're right. The RFC states the range is /12, but the error actually allows
'spoofed' address as legitimate, not legitimate as spoofed. (which is
probably worse :)
172.16.0.0/16 = hosts from 172.16.0.1 - 172.16.255.254
172.16.0.0/12 = hosts from 172.16.0.1 - 172.31.255.254
Cheers,
Adrian.
-----Original Message-----
From: Richard P. Koett [mailto:mail-liststelus.net]
Sent: Wednesday, 26 June 2002 2:47 AM
To: miscopenbsd.org
Subject: Re: PF gateway problems.. return traffic blocked (but not if in NAT
m ode!)
> previous firewall gateways I built were running NAT and everything had
> generally worked quite well using my firewall rules, which usually
> look
> like:
>spoofed="{ 10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16, 127.0.0.0/8 }"
Assuming that "spoofed" refers to the private address space defined in RFC
1918, you have a small typo there.
You should change "172.16.0.0/16" to "172.16.0.0/12". As is stands you are
defining almost 1 million legitimate addresses as "spoofed".
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]