User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Build Identifier: Firehol 1.226-r1 have an outdated bogons list. Firehol is a BASH script that generate iptables rules. The bogons list is coded into the script itselv, and is now outdated. The bogons list should be updated every 4 months according to robt at cymru.com Reproducible: Always Steps to Reproduce: 1. Emerge and activate firehol on an internet connected host. 2. Ping that host from a net that used to be in the bogons list. For example NetCom in Norway have started to allocate IP addresses from the 89.0.0.0/8 range to it's 3G mobile customers. This network was allocated to RIPE in June 2005. Actual Results: Firehol block traffic from networks that are no longer in the bogons list. Expected Results: Firehol shoud have had an updated bogons list. Updated bogons list here; http://www.cymru.com/Documents/bogon-bn.html
Unfortunately firehol itself seems to be not managed actively at the moment. I will try to provide a patch in gentoo to update the list.
Hmm, I'm not sure about this list, I don't know the internals of firehol well enough to know what to update in order to fix this. If I run the get-iana.sh that is included in firehol, I get the following updated list: RESERVED_IPS="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 42.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 120.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/8 175.0.0.0/8 176.0.0.0/8 177.0.0.0/8 178.0.0.0/8 179.0.0.0/8 180.0.0.0/8 181.0.0.0/8 182.0.0.0/8 183.0.0.0/8 184.0.0.0/8 185.0.0.0/8 186.0.0.0/8 187.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8 " Does anybody know if this is the correct list? Some entries that were listed previously are not in this list any more...
Hi! The list generated by get-iana.sh seems to be updated and accurate. The script looks in the right place (www.iana.org), so I think we can trust this one. I did not know about this script, thanks for pointing me to it. Would have been nice if this script was called from firehol itself, but if it's not under maintenance anymore it's not likely to happen. Anyone know of better and actively maintained alternatives to firehol?
Created attachment 103465 [details, diff] Fix for latest IANA Reserved IP numbers. One line patch to update the reserved ip addresses for 1.226. The line is obtained from the IANA data, by using aggregate-flim to compress for a shorter set of variables. Firehol is still in active development. This exact change is in the firehol sourceforge CVS (at version 1.250)...along with some enhancements, and at least one bugfix.
I have now updated to CVS-version 250, I think this includes updated IPs and solves this bug. The new version should appear on the mirrors soon.