[NTLUG:Discuss] internet routing of private IPs causing problems..
brian at pongonova.net
brian at pongonova.net
Wed Jan 9 17:32:54 CST 2008
On Wed, Jan 09, 2008 at 05:06:14PM -0600, Richard Geoffrion wrote:
> brian at pongonova.net wrote:
> > Why would you want to forward packets to private networks beyond your
> > firewall? You *do* have a firewall, right?
> >
>
> Fact: A Server with no NAT, no DHCP. just ONE single ethernet NIC bound
> to a single public IP address
> Fact: With NO routing or IP forwarding involved on the linux host and
> with only ONE single IP address bound to the nic, it is possible to ping
> 192.168.2.1 (and others) from this host.
So, IOW, no firewall on a public box.
Hmm...I'm going to stand my ground on this one: that it's *your*
responsibility to keep outbound private traffic from leaving your
network cloud.
> Fact: VMWARE server is loaded on this machine and a HOST ONLY network is
> setup with the host OS having an IP address of 192.168.2.1/24 assigned
> to it's VMNET1 interface.
> Fact: The VMNET1 will *NOT* start if the server itself is able to
> ping/reach/contact the IP address that it has been assigned.
Then configure iptables to prevent outbound traffic from
192.168.2.1/24. I really can't figure out what the problem is here.
> I do NOT want to forward private networks to the internet.. I want the
> exact opposite. I want my ISP to quit polluting MY network with their
> private IP network!
That's what iptables is for.
> Yes, I could (and should...and probably will have to) setup firewall
> rules to block the forwarding of private IP addresses out onto the
> internet, but that makes no excuse for a seemingly major Telcom player
> (read: McLeodUSA) to allow their customers to affect THEIR private IP
> networks.
In an ideal world, sure. But really, you're fighting an uphill battle
here. Surely you have more impotant battles to wage?
> I hope my issue is a bit more understood...though I wasn't out to
> clarify/argue my setup...just the idea of whether or not the public
> network should route private addresses.
Well, unfortunately, it *does* boil down to your setup. In an ideal
world, we'd all play nice and there'd be no need for firewalls, or
this discussion.
--Brian
More information about the Discuss
mailing list