Subject: Re: ipf rules
To: Wolfgang Rupprecht <>
From: Greywolf <>
List: current-users
Date: 12/13/2000 16:45:54
On 13 Dec 2000, Wolfgang Rupprecht wrote:

# (David Maxwell) writes:
# > If your cableco/ISP could _force_ 192.168.x.x destined packets at
# > your 'firewall', it would route them with your current rules. Since
# > there's no way to add the rule you really need, you need another 
# > ethernet card, as I said before.
# I'd like to underscore that.
# Sending 192.168.x.x addresses to some "cable modems" is trivial.
# Until recently my cable connection was via a transparent bridge to
# roughly 16,000 other hosts on the Fremont "ethernet".  Yes, that's not
# a typo 16 thousand.  The racket on that net was deafening!
# Any one of those 16k hosts could send an arp-request for 192.168.x.x
# and then proceed to talk to that address.  Amusingly, quite a few
# hosts did answer to  (Why are some folks so
# unimaginative???  There are 65536 addresses to chose from. ;-))
# In any case, a firewall who's security is based solely on the premise
# that nobody can route 192.168.x.x addresses to it is severely broken.

As I understand it, the addresses are not enforced non-routable,
even though they are dedicated addresses for INTERNAL NETWORKS ONLY
and you're gonna upset some people out there if you start routing

But an address is an address is an address.  Whether or not the approach
taken on said address is bogus either due to the hardware or the hardware's
administrator is a completely different matter.  Conceivably I could
cause some serious havoc with my router set to or 127.0.0.something-

Not advisable, obviously.

By the same token, I could have my router accept and route for 10.x.x.x.
Again, not advisable, but it's certainly doable.

Are they proposing that the addresses in question be enforced non-routable
by the hardware/software?  Is this happening already?

# -wolfgang
# -- 
#        Wolfgang Rupprecht <>
# Coming soon: GPS mapping tools for Open Systems.

*BSD: demonic power.