From: Paul G. <pau...@bi...> - 2002-05-05 23:28:20
|
Örjan Johansson wrote: > ... > > > >In an obvious statement of iqnorance, I will admit that I had no clue > the 10.116.16.1 was an RFC1918 address nor >that it would be > "reasonable" for the cable modem ISP to use one for their DHCP server. > > > >Thanks for the help, Scott. > > I don't think it's ignorant at all. The fact that some ISP's use RFC1918 > addresses for their DNS and DHCP servers undermines security. > Unfortunately, a lot of us are stuck with their stubborn unwillingness > to care about anything but making money... Of course we should all be > able to run our firewalls in non-RFC1918-mode to protect ourselves but > alas... You're not the first to get caught by this! I agree - nearly all cable and ADSL providers that i've seen use RFC 1918 addresses for their own infrastructure, so that they don't have to use up their public IPs for anything except customers or critical servers. I think if it weren't for RFC 1918, the world would stop turning. :-) The fact that Scott didn't know what an RFC 1918 address was is forgivable. (But don't let it happen again! ;-) In /etc/shorewall/firewall, the following address ranges are put on the rfc1918 chain: 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 240.0.0.0/4 of these, only 10/8, 172.16/12, and 192.168/16 are included in RFC 1918. The rest are other reserved addresses (see http://www.isi.edu/~bmanning/dsua.html for a discussion of them). Tom, perhaps we should think about renaming the chain to 'reserved'? Paul http://paulgear.webhop.net |