-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Parity does not filter 100.64.0.0/10
ip range when --allow-ips=public
#5872
Comments
Our cloud provider opened abuse report and blocked our servers, as these ranges were not blocked. |
It seems Parity only blocks RFC1918 private network connections, but it should also block reserved IPs. This is not really a bug but an annoyance as 100.64.0.0/10 is not a private network. We should consider blocking all reserved IP address spaces. https://en.wikipedia.org/wiki/IPv4#Special-use_addresses I personally use iptables to circumvent this issue. https://ethereum.stackexchange.com/a/9964 |
Just confirming that the solution here is to filter all reserved ips from the public list? |
Also it looks like the only current criteria for the |
* Add checks for all ipv4 special use addresses * Add comprehensive ipv4 test cases
@sjeohp This should really be addressed by allowing custom ranges in addition to predefined "public" and "private" sets. E.g. |
On a practical note, it might be easier (from a user perspective) blacklisting rather than whitelisting sets of ip adresses, i.e., |
I've refactored to exclude more of the reserved/special-use IPs including I can add both |
On second thought maybe something like |
I'd be happy with either solution. |
* Add IpFilter struct to wrap predefined filter (AllowIP) with custom allow/block filters. * Refactor parsing of --allow-ips to handle custom filters. * Move AllowIP/IpFilter from ethsync to ethcore-network where they are used.
* Add "none" as a valid argument for --allow-ips to allow narrow custom ranges, eg.: --allow-ips="none 10.0.0.0/8" * Add tests for parsing filter arguments and node endpoints. * Add ipnetwork crate to dev dependencies for testing.
* Add checks for additional reserved ip addresses 100.64.0.0/10 and 240.0.0.0/4 are both reserved but not currently filtered. * Add check for special purpose addresses 192.0.0.0/24 - Used for the IANA IPv4 Special Purpose Address Registry * Refactor ip_utils (#5872) * Add checks for all ipv4 special use addresses * Add comprehensive ipv4 test cases * Refactor Ipv6 address checks (#5872) * Refactor AllowIP (#5872) * Add IpFilter struct to wrap predefined filter (AllowIP) with custom allow/block filters. * Refactor parsing of --allow-ips to handle custom filters. * Move AllowIP/IpFilter from ethsync to ethcore-network where they are used. * Revert Cargo.lock * Tests for custom ip filters (#5872) * Add "none" as a valid argument for --allow-ips to allow narrow custom ranges, eg.: --allow-ips="none 10.0.0.0/8" * Add tests for parsing filter arguments and node endpoints. * Add ipnetwork crate to dev dependencies for testing. * Add ipv6 filter tests (#5872) * Revert parity-ui-precompiled to master * Fix minor detail in usage.txt (#5872) * Spaces to tabs * Rename IpFilter::new() to ::default() * Small readability improvements * Test (#5872) * Revert "Test (#5872)" This reverts commit 7a89064.
All these private bogon ip addresses must be blocked https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
The text was updated successfully, but these errors were encountered: