[ previous ] [ next ] [ threads ]
 
 From:  Frederick Page <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Confirmed: bug in firewall on OPT1
 Date:  Sun, 19 Dec 2004 04:51:42 +0100 
Hallo Chris,

Chris Buechler schrieb am 18. December 2004:

>>Hmmm. I've had a closer look and AFAIR 169.254/16 is used for internal
>>client communication. -v, why do you block it @ wan interface? Tia.
 
>That should really be blocked as a part of the "block private
>networks" checkbox.

Yes, but AFAIK m0n0wall does not block this automagically, when you
check the "block private networks" checkbox, does it? In addition I
also block these:

                <rule>
                        <type>block</type>
                        <interface>wan</interface>
                        <source>
                                <address>224.0.0.0/4</address>
                        </source>
                        <destination>
                                <any/>
                        </destination>
                        <log/>
                        <descr>Class D reserved</descr>
                </rule>
                <rule>
                        <type>block</type>
                        <interface>wan</interface>
                        <source>
                                <address>240.0.0.0/5</address>
                        </source>
                        <destination>
                                <any/>
                        </destination>
                        <log/>
                        <descr>Class E reserved (future use)</descr>
                </rule>

Might be worth including in the default m0n0wall ruleset for "block
private networks"?

>He's just dropping it because it should never be seen on the internet,
>and it's best practice to do so.

There's another reason: packets on WAN with these addresses might
trigger exploits, by pretending to be "internal" to my network. Just
to be on the safe side, I drop them.

Kind regards   Frederick