If anyone would care to describe if this makes sense, or if there's something else they'd like to add. I'm interested in reading it.


www.wildpackets.com has a good subnet calculator for free downloads

"IP Rules
This chapter focuses on those firewall rules that are related to the IP protocol. The examples of firewall rules are Linux ipchains. These examples don't show logging of the denied packets but logging is easily added with the -L option.
.
Source Address Rules
Packets arriving at the external interface can have their IP source addresses altered by an attacker. There are IP addresses that you would normally deny. These are:

Packets with the IP address of the firewall's external interface. The following statement would deal with this assuming that the external interface is 206.190.136.129.

ipchains -A input -i eth0 -s 206.190.136.129 -j DENY


Packets with an IP address of the inside network. This example assumes that the inside network address is 192.168.1.0:
ipchains -A input -i eth0 -s 192.168.1.0/24 -j DENY
Packets with private IP addresses. Private addresses are in the following address ranges: 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. Here's three rules for dealing with these three ranges:
ipchains -A input -i eth0 -s 10.0.0.0/8 -j DENY
ipchains -A input -i eth0 -s 172.16.0.0/12 -j DENY
ipchains -A input -i eth0 -s 192.168.0.0/16 -j DENY

Packets with CLASS D IP multicast addresses. Multicast addresses may be found in the destination address field but should never occur in the source address field.
ipchains -A input -i eth0 -s 224.0.0.0/4 -j DENY


Packets with Class E addresses. The address range 240.0.0.0 to 247.255.255.255 was set aside for experimentation and possible future use. You should deny them unless you know they're required.
ipchains -A input -i eth0 -s 240.0.0.0/5 -j DENY
Packets with the loopback IP address. This is any address in the range of 127.0.0.0 to 127.255.255.255.


ipchains -A input -i eth0 -s 127.0.0.0/8 -j DENY

Packets with a source address of 0.0.0.0.
ipchains -A input -i eth0 -s 0.0.0.0/32 -j DENY

Packets with addresses that IANA.ORG has not yet issued or are reserved. These addresses change from time to time. Check periodically @

www.iana.org"


I must also ask if someone would please care to share a list where to find these not yet issued or reserved IANA.org addresses?

is www.iana.org really Godsend source of internet accounting information?

"The IANA's Role in the Internet


The word "authority" in the IANA's name is perhaps a bit misleading: it means that the IANA keeps authoritative records concerning various numbers for other organizations; the choice of what goes into these records is determined by a variety of engineering and other considerations. The IANA serves as a bookkeeper in recording the assignments that are made. In Internet terminology, the record-keeping service IANA performs is called a registration service, and IANA serves as a registry. "


http://www.iana.org/faqs/abuse-faq.htm


In addition to IP addresses, IANA also serves as a registry for a variety of Protocol Numbers (see <http://www.iana.org/numbers.html> and several other kinds of names and identifiers.


It is important to realize that IANA is not an ISP in any way, and it does not provide any network services to any end users or organizations. It does not control the use of any of the numbers it records, nor, in general, does it have the authority to change the values it records.

Its amazing there aren't many people interested in commenting on something that is suppose to be so essential and basic in networking. Am I just that much of a newbie and this such a newbie information that its boring for most the people frequenting LinuxQuestions.org > Forums > Linux - Networking?

That they have nothing to concur or dispute here?

What's up? I thought this would be a more important topic here.

Indeed.

Here is the list of reserved ip addresses

Private Use IP addresses:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

Autoconfiguration IP Addresses:
169.254.0.0 - 169.254.255.255

Loopback IP addresses:
127.0.0.0 - 127.255.255.255

Multicast IP addresses:
224.0.0.0 - 239.255.255.255

there's nothing much to debate about IANA , it's just a authority like any others , to name ICANN http://www.icann.org/ just for one (wich is also a Internet Assigned Numbers authority dealing mostly with DOMAIN NAMES and DNS) IANA deals/delegates with the rest (IP/AS NUMBERS ,PORTS etc)

you dont see people going around looking for software written by W3C http://www.w3.org/ just because they deal vith programming standards

as for firewall rules here are some i find of good use

## Ping flood protection
iptables -A INPUT -p icmp -i eth0 --icmp-type echo-request -j DROP
# Allow all icmp at rate of 2/s
iptables -A INPUT -p icmp -i eth0 --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
# Allow all other icmp
iptables -A INPUT -p icmp -j ACCEPT

# some ACK and DOS protection
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A INPUT -p tcp -i eth0 -j DROP --syn -m state --state NEW
# block invalid icmp packets
iptables -A INPUT -p icmp -i eth0 -j DROP -m state --state INVALID

Do you professionals agree the one's I posted are good and standard?

Do you care to explain anything about the history of why those rules are good and standard?

I'd just like to credit Ed Sawicki for giving me this information. I took it straight out of his brief Firewalls class back at MHCC 5 years ago.

Ipchains has been deprecated for some time, so this is a very stale document. And they are missing the 169.254.x.x APIPA block.

But the biggest thing that jumps out at me is the reference to Class E. That is in use today for routing protocols like OSPF. (240.0.0.5). And the IPV6 tunneling protocols like isatap and teredo use multicast on 240.0.0.0/29 as well.

IANA once issued lists of assigned IP blocks, but I have not seen anything like that recently. However there are still a few unassigned blocks held by IANA. Lookup 223.0.0.0. Before the switch to regional authorities, Ripe, APNIC, etc., there were quite a few blocks like this.

good to know suncoast. thanks