Re: [tlug] Re: iptable blocking IP addresses

["Stephen J. Turnbull" <stephen@example.com>]

>>>>> "Tobias" == Tobias Diedrich <ranma@example.com> writes:

    Tobias> AFAIK DROP does not really 'hide' your host.  If there
    Tobias> were no host on an IP address, you should get a "Network
    Tobias> is unreachable" or "Destination Host Unreachable" error.

You should.

But go ahead.  Try pinging 130.158.99.4, or telneting to port 23.  See
if you get anything interesting back.  Then try port 80.  Now try it
for 130.158.99.251.  130.158.99.4 is my server, but .251 shouldn't
exist.  (It's barely possible that .251 might exist, but the DHCP pool
rarely gets assigned that high any more because most folks here
instead of having 2--4 boxen using fixed or DHCP addresses are now
using only one---the wireless access point.  It's also possible that
some idiot has an idiot printer grabbing an arbitrary localnet
address, especially during yosan-tsubushi).

AFAIK there are lots of places that don't properly implement RFC 1122
and 1123.  Tsukuba-dai is just one of the most shameless.  :-(  (I
don't know what the current rules are, but when they first installed
the campus-wide firewall ICMP didn't cross in either direction.  Ie,
all appearances to the contrary, Tsukuba-dai is not really on the
Internet.  :-P)

    Tobias> I use the following at the end of my iptables setup:

Yeah, that looks good to me.


-- 
Institute of Policy and Planning Sciences     http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.