On Sun, 5 Dec 2004, Joe Abley wrote:
On 5 Dec 2004, at 06:50, Cliff Albert wrote:
I have one question regarding the CYMRU bogon route-server. What good is it if more-specific bogons are going around in the BGP table ?
With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to BGP updates received from individual peers which updates a pf radix table with the network received:
PF and bgpd with local filter table is good when you're expecting those filtered ip routes to change often. But this is not true about bogons which for cymru IANA-only data changes couple times a year and for completewhois full RIR bogon changes once/day. Both of those are not often enough that updating firewall filters from active bgp session is worth it, its easier to just download list of bogons once/day or once/week from web or ftp and update local rules. Completewhois webpage on how to use our bogon data has all the scripts for doing bogon firewall filtering on Linux, FreeBSD and OpenBSD machines, see http://www.completewhois.com/bogons/using_bogon_lists.htm --- William Leibzon, Elan Networks: mailto: william@elan.net Anti-Spam and Email Security Research Worksite: http://www.elan.net/~william/emailsecurity/