Bug 151588

Summary:	net-firewall/firehol-1.226-r1needs updated bogons list
Product:	Gentoo Linux	Reporter:	Oyvind Ellefsen <oe>
Component:	New packages	Assignee:	Dominik Stadler (RETIRED) <centic>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Fix for latest IANA Reserved IP numbers.

Description Oyvind Ellefsen 2006-10-16 07:16:11 UTC

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Build Identifier: 

Firehol 1.226-r1 have an outdated bogons list. Firehol is a BASH script that
generate iptables rules. The bogons list is coded into the script itselv, and is
now outdated. The bogons list should be updated every 4 months according to robt
at cymru.com


Reproducible: Always

Steps to Reproduce:
1. Emerge and activate firehol on an internet connected host.
2. Ping that host from a net that used to be in the bogons list. For example
NetCom in Norway have started to allocate IP addresses from the 89.0.0.0/8 range
to it's 3G mobile customers. This network was allocated to RIPE in June 2005.


Actual Results:  
Firehol block traffic from networks that are no longer in the bogons list.

Expected Results:  
Firehol shoud have had an updated bogons list.

Updated bogons list here;
http://www.cymru.com/Documents/bogon-bn.html

Comment 1 Dominik Stadler (RETIRED) gentoo-dev

2006-11-04 02:37:30 UTC

Unfortunately firehol itself seems to be not managed actively at the moment. I will try to provide a patch in gentoo to update the list.

Comment 2 Dominik Stadler (RETIRED) gentoo-dev

2006-11-04 03:31:03 UTC

Hmm, I'm not sure about this list, I don't know the internals of firehol well enough to know what to update in order to fix this.

If I run the get-iana.sh that is included in firehol, I get the following updated list:

RESERVED_IPS="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 42.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 120.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/8 175.0.0.0/8 176.0.0.0/8 177.0.0.0/8 178.0.0.0/8 179.0.0.0/8 180.0.0.0/8 181.0.0.0/8 182.0.0.0/8 183.0.0.0/8 184.0.0.0/8 185.0.0.0/8 186.0.0.0/8 187.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8 "

Does anybody know if this is the correct list? Some entries that were listed previously are not in this list any more...

Comment 3 Oyvind Ellefsen 2006-11-04 03:55:38 UTC

Hi!

The list generated by get-iana.sh seems to be updated and accurate. The script looks in the right place (www.iana.org), so I think we can trust this one. I did not know about this script, thanks for pointing me to it. 

Would have been nice if this script was called from firehol itself, but if it's not under maintenance anymore it's not likely to happen.

Anyone know of better and actively maintained alternatives to firehol?

Comment 4 phceac 2006-12-06 10:23:24 UTC

Created attachment 103465 [details, diff]
Fix for latest IANA Reserved IP numbers.

One line patch to update the reserved ip addresses for 1.226.

The line is obtained from the IANA data, by using aggregate-flim to compress for a shorter set of variables.

Firehol is still in active development.  This exact change is in the firehol sourceforge CVS (at version 1.250)...along with some enhancements, and at least one bugfix.

Comment 5 Dominik Stadler (RETIRED) gentoo-dev

2006-12-28 13:00:47 UTC

I have now updated to CVS-version 250, I think this includes updated IPs and solves this bug. The new version should appear on the mirrors soon.