SuSEfirewall2: are these IPs private or not?
Hi! In RFC1918, I found this: The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets. 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) I decides to assign the following IPs to the hosts in my LAN: 172.20.30.40/29, i.e 172.20.30.41 - 172.20.30.46. When I start SuSEfirewall2, there appears an errormessage: The network 172.20.30.40/29 you want to masquerade is not from a private network. Change this! Is this an error of SuSEfirwall2, or do I misunderstand something completely? regards Florian Pressler _________________________________________________________________ Downloaden Sie MSN Explorer kostenlos unter http://explorer.msn.de/intl.asp
Hi all!! Sorry to step in here (without being asked -- hehe!) IMHO we miss the point ?-( ALL answers are correct [more or less -- no flames!], but doesn't answer his question! Florian Pressler wrote:
Hi!
In RFC1918, I found this:
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets. 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
I decides to assign the following IPs to the hosts in my LAN: 172.20.30.40/29, i.e 172.20.30.41 - 172.20.30.46.
IMHO good (/acceptable) decision ;-)
When I start SuSEfirewall2, there appears an errormessage: The network 172.20.30.40/29 you want to masquerade is not from a private network. Change this!
Is this an error of SuSEfirwall2, or do I misunderstand something completely?
If I read Florian's posting right, it's not the question if/if not take these address and/or if it's 'free address space' nor it's a CIDR/other routing problem! (Maybe I'm wrong!?!) Said this, for me the question/answer is quite interesting: --> WHY does SuSEfirewall2 assume, that THIS ADDRESS isn't from a private network??? My apologies for I didn't use SuSEfirewall2 at the moment, maybe Florian has to give more informations, maybe the answer could only be given by the 'firewall-gurus' or the author of the script -- but I'm really wondering why this errormessage appears! Any explanation _greatly_ appreciated! -- best greetings from Solingen /GERMANY Dieter Hürten
Dieter Huerten wrote:
Hi all!!
Sorry to step in here (without being asked -- hehe!)
IMHO we miss the point ?-(
ALL answers are correct [more or less -- no flames!], but doesn't answer his question!
Hi!
In RFC1918, I found this:
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets. 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
<--snip->
If I read Florian's posting right, it's not the question if/if not take these address and/or if it's 'free address space' nor it's a CIDR/other routing problem! (Maybe I'm wrong!?!)
Said this, for me the question/answer is quite interesting: --> WHY does SuSEfirewall2 assume, that THIS ADDRESS isn't from a private network???
I think it is an error in the Firewall script take a look in /sbin/SuSEfirewall2 echo "$PART1" | $GREP -Eq '^10\.|^172\.1|^192\.168\.' || { echo "Warning: The network $DEV_IP you want to masquerade is not from a private network" echo ' e.g. 10.0.0.0/8, 172.16.0.0/11 or 192.168.0.0/16 - change this!' } So he looks only if the address begin with 172.1* not very RFC konform :-) The 172.1.x.x Sub net should work, also it isnt a private network Bye Thomas
* Thomas Nowak wrote on Tue, Aug 28, 2001 at 09:47 +0200:
Dieter Huerten wrote:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) echo "$PART1" | $GREP -Eq '^10\.|^172\.1|^192\.168\.' || { echo "Warning: The network $DEV_IP you want to masquerade is not from a private network" echo ' e.g. 10.0.0.0/8, 172.16.0.0/11 or 192.168.0.0/16 - change this!' } So he looks only if the address begin with 172.1* not very RFC konform :-)
should be changed. Well, I have no nice idea about a real cool regex, but: echo "$PART1" | $GREP -Eq \ '^10\.|^172\.(16|17|18|19|2.|30|31)\.|^192\.168\.' .... should work. Improvements? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Tuesday 28 August 2001 21.30, Steffen Dettmer wrote:
* Thomas Nowak wrote on Tue, Aug 28, 2001 at 09:47 +0200:
Dieter Huerten wrote:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
echo "$PART1" | $GREP -Eq '^10\.|^172\.1|^192\.168\.' || { echo "Warning: The network $DEV_IP you want to masquerade is not from a private network" echo ' e.g. 10.0.0.0/8, 172.16.0.0/11 or 192.168.0.0/16 - change this!' } So he looks only if the address begin with 172.1* not very RFC konform :-)
should be changed. Well, I have no nice idea about a real cool regex, but:
echo "$PART1" | $GREP -Eq \ '^10\.|^172\.(16|17|18|19|2.|30|31)\.|^192\.168\.' ....
should work. Improvements?
oki,
Steffen
Shouldn't Microsoft's 169.254.0.0/16 range be there as well? It's very common for ms machines to use addresses in that range, and they are 'reserved' for that purpose, even if they're not in an rfc Anders
On Tuesday 28 August 2001 21.30, Steffen Dettmer wrote:
* Thomas Nowak wrote on Tue, Aug 28, 2001 at 09:47 +0200:
Dieter Huerten wrote:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
echo "$PART1" | $GREP -Eq '^10\.|^172\.1|^192\.168\.' || { echo "Warning: The network $DEV_IP you want to masquerade is not from a private network" echo ' e.g. 10.0.0.0/8, 172.16.0.0/11 or 192.168.0.0/16 - change this!' } So he looks only if the address begin with 172.1* not very RFC konform :-)
should be changed. Well, I have no nice idea about a real cool regex, but:
echo "$PART1" | $GREP -Eq \ '^10\.|^172\.(16|17|18|19|2.|30|31)\.|^192\.168\.' ....
should work. Improvements?
I forgot one comment I don't think it can be done with a simple regexp, but you need to check the netmask as well. 10.0.0.0/4 isn't private
oki,
Steffen
Anders
* Anders Johansson wrote on Tue, Aug 28, 2001 at 22:41 +0200:
On Tuesday 28 August 2001 21.30, Steffen Dettmer wrote:
* Thomas Nowak wrote on Tue, Aug 28, 2001 at 09:47 +0200:
Dieter Huerten wrote:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
echo "$PART1" | $GREP -Eq '^10\.|^172\.1|^192\.168\.' || { echo "Warning: The network $DEV_IP you want to masquerade is not from a private network" echo ' e.g. 10.0.0.0/8, 172.16.0.0/11 or 192.168.0.0/16 - change this!' } So he looks only if the address begin with 172.1* not very RFC konform :-)
should be changed. Well, I have no nice idea about a real cool regex, but:
echo "$PART1" | $GREP -Eq \ '^10\.|^172\.(16|17|18|19|2.|30|31)\.|^192\.168\.' ....
should work. Improvements?
* Line pasted from other mail:
Shouldn't Microsoft's 169.254.0.0/16 range be there as well?
Well, I wouldn't use LINKLOCAL and I wouldn't mask, but ...
I don't think it can be done with a simple regexp, but you need to check the netmask as well. 10.0.0.0/4 isn't private
Yep, you're right. BTW, I don't know why I shouldn't MASQ non-private addresses. Let's call it "address hiding" and you have a security feature which is not that bad! I used this for protecting call back lines (which wouldn't hangup when a portscan is done against the called back host otherwise). But remember, SuSEfirewall is build for Joe Average which has no idea about firewalling, and so Joe gets a warning if doing non-average things. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Yo!
ALL answers are correct [more or less -- no flames!], but doesn't answer his question! Right...
In RFC1918, I found this: The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets. 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) As per definition the RFC is right. I have worked along it's lines for many, many years by now.
I decides to assign the following IPs to the hosts in my LAN: 172.20.30.40/29, i.e 172.20.30.41 - 172.20.30.46. IMHO good (/acceptable) decision ;-) No smily's needed. It IS a good decision.
When I start SuSEfirewall2, there appears an errormessage: The network 172.20.30.40/29 you want to masquerade is not from a private network. Change this!
Is this an error of SuSEfirwall2, or do I misunderstand something completely? I can only see this as an error is SuSe firewall (which I do not use, so got no experience). I can testify that ipchains and iptables are both happy to do it correctly. Maybe it was tough to use partial netmasks, like 255.240.0.0
Said this, for me the question/answer is quite interesting: --> WHY does SuSEfirewall2 assume, that THIS ADDRESS isn't from a private network???
CIAO, Peter
participants (6)
-
Anders Johansson
-
Dieter Huerten
-
Florian Pressler
-
Peter van den Heuvel
-
Steffen Dettmer
-
Thomas Nowak