And by that he means: "only a few" =D.
-----
Alain Hebert ahebert@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 6/2/21 12:40 AM, Stephen Satchell
wrote:
Not
every uplink service implements BCP38. When putting up servers
connected more-or-less directly to the Internet through these
uplinks, it would be nice if the servers themselves were able to
implement ingress and egress filtering according to BCP38. (Sorry
about the typo in the subject lines of my previous message -- not
everyone can get a BGP feed.)
(Or, when using Ubuntu server edition to implement edge routers.)
My earlier query was asking if anyone has encoded the blackhole
routes in YAML for inserting in netplan(5). My prior message
contains the routes to be blackholed. That takes care of egress
routing.
(I think I can write a Python program to take my list and convert
it to the YAML that netplan(5) wants to see. That way, the routes
are inserted when the public interface is up, and removed when the
public interface is down.)
Ingress routing appears to be one-line addition. IPTABLES can be
told to weed out packets with unroutable source addresses. My
experiments will add something like this line to the firewall:
# iptables -A INPUT -m addrtype -i enp1s0 --src-type BLACKHOLE -j
DROP
THIS HAS NOT BEEN VERIFIED. I'm building a web server that will
integrate this idea, and try it out.