Florian Brandstetter President & Founder |
The following list is what I'm thinking of using for blocking trafficbetween an edge router acting as a firewall and an ISP/upstream. Thistable is limited to address blocks only; TCP/UDP port filtering, and IPprotocol filtering, is a separate discussion. This is for animplementation of BCP-38 recommendations.I'm trying to decide whether the firewall should just blackhole theseaddresses in the routing table, or use rules in NFTABLES against sourceand destination addresses, or some combination. If NFTABLES, the bestplace to put the blocks (inbound and outbound) would be in the FORWARDchain, both inbound and outbound. (N.B. for endpoint boxes, they gointo the OUTPUT chain.)In trying to research what would constitute "best practice", the papersI found were outdated, potentially incomplete (particularly withreference to IPv6), or geared toward other applications. This tablecurrently does not have exceptions -- some may need to be added as aspecific "allow" route or list.The Linux rp_filter knob is effective for endpoint servers andworkstations, and I turn it on religiously (easy because it's thedefault). For a firewall router without blackhole routes, it's lesseffective because, for incoming packets, a source address matching oneof your inside netblocks will pass. A subset of the list would beuseful in endpoint boxes to relieve pressure on the upstream edge router-- particularly if a ne'er-do-well successfully hijacks the endpoint boxto participate in a DDoS flood.IPv4Address block Scope Description0.0.0.0/8 Software Current network (only valid assource address).10.0.0.0/8 Private network Used for local communicationswithin a private network.100.64.0.0/10 Private network Shared address space[3] forcommunications between a serviceprovider and its subscriberswhen using a carrier-grade NAT.127.0.0.0/8 Host Used for loopback addresses tothe local host.169.254.0.0/16 Subnet Used for link-local addressesbetween two hosts on a singlelink when no IP address isotherwise specified, such aswould have normally beenretrieved from a DHCP server.172.16.0.0/12 Private network Used for local communicationswithin a private network.192.0.0.0/24 Private network IETF Protocol Assignments.192.0.2.0/24 Documentation Assigned as TEST-NET-1,documentation and examples.192.88.99.0/24 Internet Reserved. Formerly used forIPv6 to IPv4 relay192.168.0.0/16 Private network Used for local communicationswithin a private network.198.18.0.0/15 Private network Used for benchmark testing ofinter-network communicationsbetween two separate subnets.198.51.100.0/24 Documentation Assigned as TEST-NET-2,documentation and examples.203.0.113.0/24 Documentation Assigned as TEST-NET-3,documentation and examples.224.0.0.0/4 Internet In use for IP multicast.240.0.0.0/4 Internet Reserved for future use.255.255.255.255/32 Subnet Reserved for the "limitedbroadcast" destination address.IPv6Address block Usage Purpose::/0 Routing Default route.::/128 Software Unspecified address.::1/128 Host Loopback address to local host.::ffff:0:0/96 Software IPv4 mapped addresses.::ffff:0:0:0/96 Software IPv4 translated addresses.64:ff9b::/96 Global Internet IPv4/IPv6 translation.100::/64 Routing Discard prefix.2001::/32 Global Internet Teredo tunneling.2001:20::/28 Software ORCHIDv2.2001:db8::/32 Documentation Addresses used in documentationand example source code.2002::/16 Global Internet The 6to4 addressing schemefc00::/7 Private network Unique local address.fe80::/10 Link Link-local address.ff00::/8 Global Internet Multicast address.