On Thu, Dec 15, 2016 at 9:48 AM, Stephen Satchell <list@satchell.net> wrote:

https://bugzilla.redhat.com/show_bug.cgi?id=1370963

Just a reminder that I have a feature request outstanding with Red Hat to add support for BCP38, as well as measures for certain protocol-based amplification reflection attacks. My intent for making the suggestion is to stiffen firewalld(8) in Red Hat Enterprise and clones, particularly when an RHEL-based box is used as an edge router or firewall box.

I've looked at firewalld, and it would be easy to add *some* of BCP38 into it rather quickly...assuming that the developers step up to the plate. There are parts of BCP38 that won't be so easy to do, given the architecture of the package.

In my spare time, by the way, I'm working on a BCP-compilant firewall generator for IPTABLES. Spare time? Well, that *is* a bit of a laugh...

Given some quick time with definition making: https://github.com/google/capirca does this pretty easily, for example: def/NETWORK.net - content: MYNETS = 192.0.24.0/24 MYWEB = 192.0.24.2/32 STEPHEN_HOME = 198.16.0.23/32 def/SERVICES.svc - content: HTTP = tcp/80 HTTPS = tcp/443 SQUID = tcp/3128 APACHE_PROXY = tcp/8080 PROXY = SQUID APACHE_PROXY office/pol/fw.pol - content header { comment:: "My firewall policy" target:: iptables OUTPUT DROP nostate } term permit-web-stephen { comment:: "Permit stephen to my web, really FROM my web to stephen" destination-address:: STEPHEN_HOME source-address:: MYWEB protocol:: tcp destination-port:: HTTP HTTPS PROXY action:: permit } term bcp-38-only { comment:: "Permit only mynets outbound" source-address:: MYNETS action:: accept } term default-deny { comment:: "All other traffic dies" action:: deny } run the acl generation (aclgen.py) and ... out pops iptables to do what you want. a simple matter of script/software makes this even simple for iptables operators across many flavors of topology. -chris (note: I am not just a user of this solution I'm also a contributor)