[ILUG] Re: odd shorewall behaviour
Gavin McCullagh
ilug_gmc at fiachra.ucd.ie
Wed Feb 16 18:13:32 GMT 2005
Hi,
Paul Jakma wrote:
>> at some stage shorewall introduced banning of bogons,
>
> Presumably shorewall has a way to automatically update this list?
They do though it appears it was not there from the start.
http://lists.shorewall.net/pipermail/shorewall-announce/2004-April/000362.html
These days there's a perl script:
/usr/share/shorewall/update-bogons
which downloads http://www.iana.org/assignments/ipv4-address-space and
parses it for bogons addresses. I'm unsure in what circumstances this
script gets run (install time, cron job, when someone gets refused for
bogons, whenever the sysadmin thinks of it?).
> Otherwise that is a terrifically dumb idea, as you noted further in
> your mail, unassigned prefixes will eventually be assigned.
Indeed. The bogons filtering is now disabled by default and for this
reason I decided to leave it that way.
Out of curiosity, is there much documented benefit to blocking bogons?
Surely replies wouldn't get routed back to the attacker?
Gavin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.linux.ie/pipermail/ilug/attachments/20050216/9f6200ee/attachment.pgp
More information about the ILUG
mailing list