[NTLUG:Discuss] internet routing of private IPs causing problems..
Richard Geoffrion
ntlug at rain4us.net
Wed Jan 9 17:06:14 CST 2008
brian at pongonova.net wrote:
> Why would you want to forward packets to private networks beyond your
> firewall? You *do* have a firewall, right?
>
Fact: A Server with no NAT, no DHCP. just ONE single ethernet NIC bound
to a single public IP address
Fact: With NO routing or IP forwarding involved on the linux host and
with only ONE single IP address bound to the nic, it is possible to ping
192.168.2.1 (and others) from this host.
Fact: VMWARE server is loaded on this machine and a HOST ONLY network is
setup with the host OS having an IP address of 192.168.2.1/24 assigned
to it's VMNET1 interface.
Fact: The VMNET1 will *NOT* start if the server itself is able to
ping/reach/contact the IP address that it has been assigned.
I do NOT want to forward private networks to the internet.. I want the
exact opposite. I want my ISP to quit polluting MY network with their
private IP network!
Yes, I could (and should...and probably will have to) setup firewall
rules to block the forwarding of private IP addresses out onto the
internet, but that makes no excuse for a seemingly major Telcom player
(read: McLeodUSA) to allow their customers to affect THEIR private IP
networks.
McLeodUSA has absolutely NO understanding of the issue and they think
I'm nutso. Maybe I am. Maybe I should just ping flood all the internal
router addresses until someone gets a clue.
In the mean time, I guess I will have to figure out how to add in
firewalling rules to stop the ??forwarding??? (I'm not really
forwarding.. I'm just sending out?? maybe the OUTPUT chain
then)...figure out how to firewall outbound packets to private ip
addresses then -- and of course do it without killing internal routing.
I guess just a plain drop would work.
I hope my issue is a bit more understood...though I wasn't out to
clarify/argue my setup...just the idea of whether or not the public
network should route private addresses.
--
Richard (a bit frustrated)
More information about the Discuss
mailing list