Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 04 May 2003 12:14:44 -0400
From:      Chuck Swiger <chuck@codefab.com>
To:        freebsd-isp@FreeBSD.ORG
Subject:   Netblocks to filter, was: Re: [fw-wiz] Protecting a datacentre with a firewall
Message-ID:  <3EB53C74.40500@codefab.com>

next in thread | raw e-mail | index | archive | help
I'd dug up some information about invalid IP network blocks to filter 
from a discussion on the firewall-wizards mailing list, and converted it 
to a set of IPFW(2) rules:

[ ... ]
And let's raise the bar a little, and see how many firewall vendors
handle bogus netblocks properly?  There's a nice resource here:
http://www.cymru.com/Bogons/index.html which says:

| How much does it help to filter the bogons?  In one study conducted by
| Rob Thomas of a frequently attacked site, fully 60% of the naughty
| packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.).

Does Zorp know about and filter these properly?  Does Cisco's PIX?

I've been blocking many of them already, but here's my updated set of
IPFW2 rules, with RFC-1918, autoconf, and multicast addresses commented
out.  I'm doing NAT or divert sockets in some cases and have
per-interface directional rules, but season to taste:

####
# Stop other bogus networks (often used by DDoS attacks)

add deny log all from 0.0.0.0/7 to any
add deny log all from 2.0.0.0/8 to any
add deny log all from 5.0.0.0/8 to any
add deny log all from 7.0.0.0/8 to any
#add deny log all from 10.0.0.0/8 to any
add deny log all from 23.0.0.0/8 to any
add deny log all from 27.0.0.0/8 to any
add deny log all from 31.0.0.0/8 to any
add deny log all from 36.0.0.0/7 to any
add deny log all from 39.0.0.0/8 to any
add deny log all from 41.0.0.0/8 to any
add deny log all from 42.0.0.0/8 to any
add deny log all from 49.0.0.0/8 to any
add deny log all from 50.0.0.0/8 to any
add deny log all from 58.0.0.0/7 to any
add deny log all from 70.0.0.0/7 to any
add deny log all from 72.0.0.0/5 to any
add deny log all from 83.0.0.0/8 to any
add deny log all from 84.0.0.0/6 to any
add deny log all from 88.0.0.0/5 to any
add deny log all from 96.0.0.0/3 to any
#add deny log all from 169.254.0.0/16 to any
#add deny log all from 172.16.0.0/12 to any
add deny log all from 173.0.0.0/8 to any
add deny log all from 174.0.0.0/7 to any
add deny log all from 176.0.0.0/5 to any
add deny log all from 184.0.0.0/6 to any
add deny log all from 189.0.0.0/8 to any
add deny log all from 190.0.0.0/8 to any
add deny log all from 192.0.2.0/24 to any
#add deny log all from 192.168.0.0/16 to any
add deny log all from 197.0.0.0/8 to any
add deny log all from 198.18.0.0/15 to any
add deny log all from 223.0.0.0/8 to any
#add deny log all from 224.0.0.0/3 to any

-- 
-Chuck

PS: If this information is valid and seems useful to other people, maybe 
I'll send-pr these as a set of suggested changes for /etc/rc.firewall.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EB53C74.40500>