After reviewing the comments from people on NANOG and some other locations, I have updated my list of routes to blackhole. The information at the end of this contribution is taken from the RHEL/CentOS NetworkManager dispatcher.d source file, which I use to install and remove the blackhole routes when the WAN interface is started and stopped. First, let me expand on what I'm trying to do. The NetFilter NFTABLES includes in its tests the ability to determine if the source address of a packet is routeable, and further classifies the result as LOCAL, BROADCAST, UNICAST, BLACKHOLE, and PROHIBITED, among others, as well as the interface that would be selected. By using the routing table in this way, maintaining the configuration of the firewall is simplified, particularly when interfaces are brought up or taken down. There is no coding change to the firewall. The fact that I can't send packets upstream with bad destinations is not the goal here. The goal is to detect packets inbound with bad source addresses that would affect my network, as well as ensuring that outbound packets have good source addresses. Herewith is the revised information for your constructive criticism:
# Default IPv6 routing table (sorted by ipv6 address): # ==================================================== # $ route -n6 # Kernel IPv6 routing table # Destination Next Hop Flag Met Ref Use If # ------------------------------ -------- ---- --- --- --- ------- # ::/0 :: !n -1 1 0 lo # ::/0 :: !n -1 1 0 lo # ::1/128 :: U 256 1 0 lo # ::1/128 :: Un 0 4 0 lo # fe80::/64 :: U 256 1 0 enp37s0 # fe80::7285:c2ff:fec0:bdff/128 :: Un 0 2 0 enp37s0 # ff00::/8 :: U 256 6 0 enp37s0
# [-] -- not included in blacklist, part of default routes # [#] -- not included in blacklist, policy
# investigate https://www.team-cymru.com/bogon-reference-http.html # need to better understand Terendo tunneling # rp_filter does the same at nftables source routing check
nets=" 0.0.0.0/8 Software Current network (only valid as \ source address). 10.0.0.0/8 Private network Used for local communications \ within a private network. -100.64.0.0/10 Private network Shared address space for \ communications between a \ service provider and its \ subscribers when using a \ carrier-grade NAT. 127.0.0.0/8 Host Used for loopback addresses \ to the local host. 169.254.0.0/16 Subnet Used for link-local addresses \ between two hosts on a single \ link when no IP address is \ otherwise specified, such as \ would have normally been \ retrieved from a DHCP server. 172.16.0.0/12 Private network Used for local communications \ within a private network. 192.0.0.0/24 Private network IETF Protocol Assignments. 192.0.2.0/24 Documentation Assigned as TEST-NET-1, \ documentation and examples. 192.88.99.0/24 Internet Reserved. Formerly used for \ IPv6 to IPv4 relay (2002::/16). 192.168.0.0/16 Private network Used for local communications \ within a private network. 198.18.0.0/15 Private network Used for benchmark testing of \ inter-network communications \ between two separate subnets. 198.51.100.0/24 Documentation Assigned as TEST-NET-2, \ documentation and examples. 203.0.113.0/24 Documentation Assigned as TEST-NET-3, \ documentation and examples. 224.0.0.0/4 Internet In use for IP multicast. \ (Former Class D network). 240.0.0.0/4 Internet Reserved for future use. \ (Former Class E network). 255.255.255.255/32 Subnet Reserved for the 'limited \ broadcast' destination address. -::/0 Routing Default route. ::/128 Software Unspecified address. -::1/128 Host Loopback address to the local \ host. ::ffff:0:0/96 Software IPv4 mapped addresses. ::ffff:0:0:0/96 Software IPv4 translated addresses. 64:ff9b::/96 Global Internet IPv4/IPv6 translation. 100::/64 Routing Discard prefix. -2001::/32 Global Internet Teredo tunneling. 2001:20::/28 Software ORCHIDv2. 2001:db8::/32 Documentation Addresses used in documentation \ and example source code. 2002::/16 Global Internet The 6to4 addressing scheme \ (now deprecated). fc00::/7 Private network Unique local address. -fe80::/10 Link Link-local address. -ff00::/8 Global Internet Multicast address. "
participants (1)
-
Stephen Satchell