tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Proposal to apply mask to IP address set on rule

GW> So far nobody has given an actual example of any firewall or filtering
GW> system that expects a network address be given when specifying an
GW> address range using an "addr/mask" or "addr/masklen" notation.

That is correct, it is pretty rare.  Here's a survey I compiled these
weekend.   Just one (1) system refused a spec with hostbits set.

							Martin


Summary table:

Two columns each for "Fw" firewalling and "Rt" routing behaviour:

First column:  new entry behaviour:
		"A"ccepts 192.168.64.7/24 without warning,
		"R"efuses 192.168.64.7/24
		"." this thing doesn't route.

Second column: reporting behaviour afterwards:
		"K"eeps the .7 host bits, "N"ormalizes to "N"etwork address,
		"-" didn't accept the specification.
		"." this thing doesn't route.


Fw Rt	What:
AN AN	OpenBSD-7.7, pfctl(8), pf(4), route(1)
AN R-	Debian-12.11, iptables, ipset, iproute2
R- ..	Proxmox-PVE 8.4.1 Firewall (for Hypervisor & VMs, Web-GUI)
AN AN	DragonFlyBSD 6.4, ipfw3(8), route(8)
AN AN	OpenIndiana / Illumos (AK on ippools)
AN AN	Solaris 11.3 (svc:/network/ipfilter, ipf(1M))
AN AN	Solaris 11.4 (svc:/network/firewall, pfctl(8) [from OpenBSD])
AN R-	RouterOS 6.x  [MikroTik-Router]
AN AN	RouterOS 7.x  [MikroTik-Router]
AN ..	Cisco WS-C2940-8TF-S, IOS 12.1
AN ..	Cisco WS-C2960G-8TC-L, IOS 15.0


Details:

Actual commands and their output.  (Some lines have been abridged
to stay within <80 columnms.)

I wasn't too interested regarding routes with set host bits myself,
but since I was already logged in, I went the whole nine yards.


OpenBSD-7.7, pfctl(8)/pf(4)

Rule:
	# pfctl -a test -f-
	block in from 192.168.64.7/24
	^D
	# pfctl -a test -s rules
	block drop in inet from 192.168.64.0/24 to any

Address table:
	# pfctl -t test -T add 192.168.64.7/24
	1 table created.
	# pfctl -t test -T show
	   192.168.64.0/24
	# pfctl -t test -T delete 192.168.64.7/24
	1/1 addresses deleted.
	# pfctl -t test -T show
	#

	("-g" for debugging doesn't add warnings.)

Route:
	# route add -blackhole 192.168.64.7/24 127.0.0.1
	add net 192.168.64.7/24: gateway 127.0.0.1
	# route -n show -inet                            
	Destination        Gateway            Flags   Iface
	192.168.64/24      127.0.0.1          UGSB      lo0  

	# route delete 192.168.64.7/24 
	delete net 192.168.64.7/24
	[works:  removes the 192.168.64/24]


Linux, (Debian-12.11, iptables-1.8.9-2, iproute2-6.1.0-3, kernel 6.8.12-8-pve)

	# iptables -I INPUT -s 192.168.64.7/24 -j REJECT
	# iptables -nL INPUT
	Chain INPUT (policy ACCEPT)
	target     prot opt source               destination         
	REJECT     0    --  192.168.64.0/24      0.0.0.0/0

	# ipset create test hash:net
	# ipset add test 192.168.64.7/24
	# ipset list
	[...]
	Members:
	192.168.64.0/24

	# ip route add 192.168.64.7/24 via 172.16.13.1
	Error: Invalid prefix for given prefix length.


Proxmox-PVE 8.4.1 Firewall, proxmox-firewall 0.7.1

	192.168.64.7/24-Rule attempt via Web-GUI:

	Parameter verification failed. (400)
	source: invalid format - invalid IP address:
	Invalid prefix 11000000101010000100000000000111/24

DragonFlyBSD 6.4-stable, ipfw3(8)

	# ipfw3 add 999 deny ip from 192.168.64.7/24
	# ipfw3 list 999
	00999 deny from 192.168.64.0/24

	# route add -blackhole 192.168.64.7/24 127.1
	add net 192.168.64.7: gateway 127.1
	# route -n show -inet
	[...]
	192.168.64           127.0.0.1           UG
	#
	# route delete 192.168.64.7/24
	route: writing to routing socket: No such process
	delete net 192.168.64.7: not in table
	# route delete 192.168.64.0/24
	delete net 192.168.64.0

OpenIndiana (illumos-12e5728106), ipf(8), svc:/network/ipfilter:default

	# ipf -E
	#
	# echo block in from 192.168.64.7/24 | ipf -f -
	# ipfstat -i
	block in from 192.168.64.0/24 to any

	# ippool -f -
	table role = ipf type = tree number = 100
		{ 1.1.1.1/32; 2.2.0.0/16; 192.168.64.7/24; };
	^D
	# 
	# ippool -l
	table role = ipf type = tree number = 100
		{ 1.1.1.1/32; 2.2.0.0/16; 192.168.64.7/24; };


	# route add -blackhole 192.168.64.7/24 127.1
	add net 192.168.64.7/24: gateway 127.1
	# netstat -rnf inet
	  Destination            Gateway    Flags  Ref     Use Interface
	[...]
	192.168.64.0         127.0.0.1      UB        1      0 lo0       
	#
	# route delete 192.168.64.7/24 127.1
	delete net 192.168.64.7/24: gateway 127.1

Solaris 11.3 (0.5.11-0.175...)
	like Illumos above.

Solaris 11.4 (11.4-11.4.81)

	pkg:/network/firewall/firewall 11.4-11.4.81.0.0.193.1
	The  Oracle  Solaris PF firewall [...] is derived from the OpenBSD PF.
	[firewall(7)]
	Tests exactly like in OpenBSD-7.7

RouterOS 6.49.18

	[neitzel@billy] /ip firewall filter> add chain=input \
			action=reject src-address=192.168.64.7/24
	[neitzel@billy] /ip firewall filter> print where action=reject
	Flags: X - disabled, I - invalid, D - dynamic 
	 [...]
	 4    chain=input action=reject src-address=192.168.64.0/24

	[neitzel@billy] /ip route> add dst-address=192.168.64.7/24 \
					gateway=172.12.13.1
	value of dst-address must have all host bits zero, as in 192.168.64.0/24

RouterOS 7.17.2

	[neitzel@hall] /ip/firewall/filter> add chain=input \
			action=reject src-address=192.168.64.7/24
	[neitzel@hall] /ip/firewall/filter> print where action=reject 
	Flags: X - disabled, I - invalid; D - dynamic 
	15    chain=input action=reject src-address=192.168.64.0/24 


Cisco Catalyst WS-C2940-8TF-S,
	IOS (tm) C2940 Software (C2940-I6K2L2Q4-M), Version 12.1(22)EA14
Cisco Catalyst WS-C2960G-8TC-L,
	IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE10

	both:

	shake#conf t
	Enter configuration commands, one per line.  End with CNTL/Z.
	shake(config)#access-list 55 deny 192.168.64.7 0.0.0.255
	shake(config)#^Z
	shake#show access-lists 55
	Standard IP access list 55
	    deny   192.168.64.0, wildcard bits 0.0.0.255
Home | Main Index | Thread Index | Old Index