* Gerhard Sittig wrote on Fri, Jun 09, 2000 at 15:39 +0200:
On Fri, Jun 09, 2000 at 13:33 +0200, Thomas Michael Wanka wrote:
Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet.
This ^^^^^^^^^^^^^^ is better put as "should not get routed ..." -- it's not a requirement but common practise. Don't count on "RFC1918 won't show up from outside" and "won't find a way" [...]
You're right. Once a while we did some "traceroutes" with RFC1918 source addresses with different ISP. Usually the generated ICMP should get dropped, since it's addressed to a RFC1918 IP, but often you make some hops ... I was surprised, since I couldn't imagine how a router should know which way that packet has to be routed... Sometimes it seems that ISP use such addresses in their networks too without filtering well. Traceing _to_ a RFC1918 works until the first router drops that private address, generating a network unreachble or so, but sometimes the first 3 or 4 routers just forward such packets. Yeah, of course, there're a lot of misconfigured routers out there!
Don't count on source routed packets being dropped just because *you* have always done so.
I think it's a good idea to drop source routed packets always. But again this is common practise only, so don't relay on that. At all, I would never trust the ISP in any way; maybe they have a misconfigured router, or an hacked machine or whatever. And you can't know how experienced the engineers are. To put it in a sentence:
Don't imply anything, express all constraints yourself.
- etc pp
Activating the rp_filter seems to be a nice idea too.
It may sound a little stupid, but security is about being paranoid. :)
Yepp, my opinion too! It's alway nice to have multiple security things running. If one fails (or get misconfigured or forgotten or whatever), it wasn't the last one... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.