BGP38 egress filter on Ubuntu Server
Before I re-invent the wheel, has anyone come up with blackhole route specifications for netplan in Ubuntu servers? Such a capability would perform the egress blocking for an edge server. The table of blackhole routes I would set up: IPv4 Address block Scope Description 0.0.0.0/8 Software Current network (only valid as source address). 10.0.0.0/8 Private network Used for local communications within a private network. 100.64.0.0/10 Private network Shared address space[3] for communications between a service provider and its subscribers when using a carrier-grade NAT. 127.0.0.0/8 Host Used for loopback addresses to the local host. 169.254.0.0/16 Subnet Used for link-local addresses between two hosts on a single link when no IP address is otherwise specified, such as would have normally been retrieved from a DHCP server. 172.16.0.0/12 Private network Used for local communications within a private network. 192.0.0.0/24 Private network IETF Protocol Assignments. 192.0.2.0/24 Documentation Assigned as TEST-NET-1, documentation and examples. 192.88.99.0/24 Internet Reserved. Formerly used for IPv6 to IPv4 relay 192.168.0.0/16 Private network Used for local communications within a private network. 198.18.0.0/15 Private network Used for benchmark testing of inter-network communications between two separate subnets. 198.51.100.0/24 Documentation Assigned as TEST-NET-2, documentation and examples. 203.0.113.0/24 Documentation Assigned as TEST-NET-3, documentation and examples. 224.0.0.0/4 Internet In use for IP multicast. 240.0.0.0/4 Internet Reserved for future use. 255.255.255.255/32 Subnet Reserved for the "limited broadcast" destination address. IPv6 Address block Usage Purpose ::/0 Routing Default route. ::/128 Software Unspecified address. ::1/128 Host Loopback address to local host. ::ffff:0:0/96 Software IPv4 mapped addresses. ::ffff:0:0:0/96 Software IPv4 translated addresses. 64:ff9b::/96 Global Internet IPv4/IPv6 translation. 100::/64 Routing Discard prefix. 2001::/32 Global Internet Teredo tunneling. 2001:20::/28 Software ORCHIDv2. 2001:db8::/32 Documentation Addresses used in documentation and example source code. 2002::/16 Global Internet The 6to4 addressing scheme fc00::/7 Private network Unique local address. fe80::/10 Link Link-local address. ff00::/8 Global Internet Multicast address.
On Tue, 1 Jun 2021 at 22:43, Stephen Satchell <list@satchell.net> wrote:
Before I re-invent the wheel, has anyone come up with blackhole route specifications for netplan in Ubuntu servers? Such a capability would perform the egress blocking for an edge server.
https://team-cymru.com/community-services/bogon-reference/bogon-reference-bg... https://team-cymru.com/community-services/bogon-reference/bogon-reference-ht... 💭 Could be considered implemented, too. Either as EBGP multi-hop feed from Cymru or via (scheduled cron) HTTP(s) download and distributed internally in your network via IBGP. -- Chriztoffer
On Tue, 1 Jun 2021 at 22:58, Chriztoffer Hansen <ch@ntrv.dk> wrote:
https://team-cymru.com/community-services/bogon-reference/bogon-reference-ht...
I have found that pfSense uses this feed to filter traffic if 'Block bogon networks' is enabled on the WAN interface(s). I.e. the pfSense bogons + bogonsv6 tables match the Cymru HTTP feed. -- Chriztoffer
On Tue, Jun 1, 2021 at 1:47 PM Stephen Satchell <list@satchell.net> wrote:
Before I re-invent the wheel, has anyone come up with blackhole route specifications for netplan in Ubuntu servers? Such a capability would perform the egress blocking for an edge server.
The table of blackhole routes I would set up:
Hi Stephen, I think you may be misunderstanding BCP 38. BCP 38 is about limiting -source- addresses. What you've described is bogon filtering on destination IP addresses. As far as I know, there's no BCP on bogon filtering although BCP 84 offers some relevant advice. BCP 38 is very simple: 1. If your IP address is 1.2.3.4 then drop any Internet-bound packets which purport to be -from- any address which is not 1.2.3.4. 2. If your IP address is 1.2.3.4 then drop any packets FROM the Internet which purport to be -from- 1.2.3.4. That's it! Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On 6/2/21 12:39 AM, William Herrin wrote:
I think you may be misunderstanding BCP 38. BCP 38 is about limiting -source- addresses. What you've described is bogon filtering on destination IP addresses. As far as I know, there's no BCP on bogon filtering although BCP 84 offers some relevant advice.
I agree. However I will add that it's trivial to extend the destination based filtering to be sourced based filtering by enabling reverse path filtering. Adding the bogons as destinations to a routing table (that is processed) is compatible with reverse path filtering. Putting the bogons in IPTables / NFTables is incompatible with reverse path filtering. Stephen: I've not done this with NetPlan but I do this on Linux and have found it to be extremely effective when combined with reverse path filtering. I have an EBGP feed from Team Cymru and augment it (additional routing tables) with (e-)DROP and federated Fail-2-Ban. I like it! -- Grant. . . . unix || die
participants (4)
-
Chriztoffer Hansen -
Grant Taylor -
Stephen Satchell -
William Herrin