[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Request comment: list of IPs to block outbound

Subject: Request comment: list of IPs to block outbound
From: gtaylor at tnetconsulting.net (Grant Taylor)
Date: Sun, 13 Oct 2019 18:35:31 -0600
In-reply-to: <[email protected]>
References: <[email protected]>

On 10/13/19 9:58 AM, Stephen Satchell wrote:
> The Linux rp_filter knob is effective for endpoint servers and 
> workstations, and I turn it on religiously (easy because it's the 
> default).

I think it's just as effective on routers as it is on servers and 
workstations.

> For a firewall router without blackhole routes, it's less effective 
> because, for incoming packets, a source address matching one of your 
> inside netblocks will pass.

I'm not following that statement.  Is incoming a reference to packets 
from the Internet to your LAN?  Or is incoming a reference to packets 
coming in any interface, thus possibly including from your LAN to the 
Internet?

Even without blackhole (reject) routes, a packet from the Internet 
spoofing a LAN IP will be rejected by rp_filter because it's coming in 
an interface that is not an outgoing interface for the purported source IP.

> A subset of the list would be useful in endpoint boxes to relieve 
> pressure on the upstream edge router -- particularly if a ne'er-do-well 
> successfully hijacks the endpoint box to participate in a DDoS flood.

rp_filtering will filter packets coming in from the internal endpoint 
that's been compromised if the packets spoof a source from anywhere by 
the local LAN.  (No comment about spoofing different LAN IPs.)

I've been exceedingly happy with rp_filter and blackhole (reject) routes.

I've taken this to another level where I have multiple routing tables 
and rules that cascade across tables.  One of the later rules is a 
routing table for any and all bogons & RFC 3330.  I am still able to 
access specific networks that fall into RFC 3330 on internal lab 
networks without a problem because those prefixes are found in routing 
tables that are searched before the bogon table that black holes 
(rejects) the packets.  IMHO it works great.  (I really should do a 
write up of that.)

I think you should seriously re-consider using rp_filter on a router.

-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191013/e36fbe03/attachment.bin>

Follow-Ups:
- Request comment: list of IPs to block outbound
  - From: saku at ytti.fi (Saku Ytti)

References:
- Request comment: list of IPs to block outbound
  - From: list at satchell.net (Stephen Satchell)

Prev by Date: Request comment: list of IPs to block outbound
Next by Date: Request comment: list of IPs to block outbound
Previous by thread: Request comment: list of IPs to block outbound
Next by thread: Request comment: list of IPs to block outbound
Index(es):
- Date
- Thread