From owner-freebsd-isp@FreeBSD.ORG Sun May 4 09:14:47 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C23037B401 for ; Sun, 4 May 2003 09:14:47 -0700 (PDT) Received: from out004.verizon.net (out004pub.verizon.net [206.46.170.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EC2043FBD for ; Sun, 4 May 2003 09:14:46 -0700 (PDT) (envelope-from chuck@codefab.com) Received: from codefab.com ([129.44.60.214]) by out004.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030504161445.BYKI28930.out004.verizon.net@codefab.com> for ; Sun, 4 May 2003 11:14:45 -0500 Message-ID: <3EB53C74.40500@codefab.com> Date: Sun, 04 May 2003 12:14:44 -0400 From: Chuck Swiger Organization: CodeFab User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030501 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-isp@FreeBSD.ORG Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out004.verizon.net from [129.44.60.214] at Sun, 4 May 2003 11:14:45 -0500 Subject: Netblocks to filter, was: Re: [fw-wiz] Protecting a datacentre with a firewall X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2003 16:14:47 -0000 I'd dug up some information about invalid IP network blocks to filter from a discussion on the firewall-wizards mailing list, and converted it to a set of IPFW(2) rules: [ ... ] And let's raise the bar a little, and see how many firewall vendors handle bogus netblocks properly? There's a nice resource here: http://www.cymru.com/Bogons/index.html which says: | How much does it help to filter the bogons? In one study conducted by | Rob Thomas of a frequently attacked site, fully 60% of the naughty | packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.). Does Zorp know about and filter these properly? Does Cisco's PIX? I've been blocking many of them already, but here's my updated set of IPFW2 rules, with RFC-1918, autoconf, and multicast addresses commented out. I'm doing NAT or divert sockets in some cases and have per-interface directional rules, but season to taste: #### # Stop other bogus networks (often used by DDoS attacks) add deny log all from 0.0.0.0/7 to any add deny log all from 2.0.0.0/8 to any add deny log all from 5.0.0.0/8 to any add deny log all from 7.0.0.0/8 to any #add deny log all from 10.0.0.0/8 to any add deny log all from 23.0.0.0/8 to any add deny log all from 27.0.0.0/8 to any add deny log all from 31.0.0.0/8 to any add deny log all from 36.0.0.0/7 to any add deny log all from 39.0.0.0/8 to any add deny log all from 41.0.0.0/8 to any add deny log all from 42.0.0.0/8 to any add deny log all from 49.0.0.0/8 to any add deny log all from 50.0.0.0/8 to any add deny log all from 58.0.0.0/7 to any add deny log all from 70.0.0.0/7 to any add deny log all from 72.0.0.0/5 to any add deny log all from 83.0.0.0/8 to any add deny log all from 84.0.0.0/6 to any add deny log all from 88.0.0.0/5 to any add deny log all from 96.0.0.0/3 to any #add deny log all from 169.254.0.0/16 to any #add deny log all from 172.16.0.0/12 to any add deny log all from 173.0.0.0/8 to any add deny log all from 174.0.0.0/7 to any add deny log all from 176.0.0.0/5 to any add deny log all from 184.0.0.0/6 to any add deny log all from 189.0.0.0/8 to any add deny log all from 190.0.0.0/8 to any add deny log all from 192.0.2.0/24 to any #add deny log all from 192.168.0.0/16 to any add deny log all from 197.0.0.0/8 to any add deny log all from 198.18.0.0/15 to any add deny log all from 223.0.0.0/8 to any #add deny log all from 224.0.0.0/3 to any -- -Chuck PS: If this information is valid and seems useful to other people, maybe I'll send-pr these as a set of suggested changes for /etc/rc.firewall.