On Sat, Mar 08, 2003 at 08:07:07PM +0000, Patrick Welche wrote:
> On Sat, Mar 08, 2003 at 01:27:18PM -0600, Dave Uhring wrote:
> > On Saturday 08 March 2003 01:03 pm, Patrick Welche wrote:
> > > In all the recommendations for firewall rules, there seem to be a
> > > ream of block 192.186/16 127/8 etc rules to prevent such unrouteable
> > > addresses from coming in on your interface. If my interface is
> > > 12.34.56.78 netmask 0xffffff00, how could such packets be accepted by
> > > it anyway?
> > 
> > The block rules are for packets FROM RFC1918 addresses not TO such 
> > addresses.
> 
> I still don't understand. How could my interface accept a packet from such
> an address given that it doesn't match its ip/netmask? (BTW I think my 
> question did mean FROM and not TO didn't it?)

If such packets (packets coming from the internet with a RFC1918 IP as source
IP) with your IP as dest IP comes in, you box will try to anserw it. This
mean it'll send a packet *to* an RFC1918 IP on the WAN which is wrong.
This can be used for e.g. some DOS.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 24 ans d'experience feront toujours la difference
--