|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Bogon filtering (don't ban me)
On 5 Dec 2004, at 06:50, Cliff Albert wrote: I have one question regarding the CYMRU bogon route-server. What good isWith OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to BGP updates received from individual peers which updates a pf radix table with the network received: # team cymru bogon route servers group "bogons" { remote-as 65333 local-address A.B.C.D multihop 64 announce none max-prefix 1000 tcp md5sig password "xxsomethingxx" neighbor E.F.G.H neighbor I.J.K.L } # cymru set 65333:888 on bogon routes allow from any community 65333:888 set pftable "bogons" allow from any community 65333:888 set nexthop blackhole This allows you to block inbound/outbound packets in the packet filter, and not just rely on blackhole routing (I left the "nexthop blackhole" policy statement in there to provide some coverage in case I accidentally disable pf one day due to caffeine deficiency). The pf config bits are: table <bogons> persist # no bogon sources or destinations block quick from <bogons> to any block quick from any to <bogons> This seems to work very nicely, and neatly accommodates the problem of what to do with packets which follow more-specific routes of the cymru bogon supernets. The rules above would probably need to be loosened somewhat for a network which used 1918 addresses and NAT, since the 1918 addresses are included in the bogon feed. This is an answer that is probably not useful for the average ISP backbone, but I tried it out a week or so ago on my home network firewall/router boxes, and it works very nicely. It's a good solution for (say) an enterprise network whose external traffic falls within the bounds of what an OpenBSD box can handle (or boxes, if you do stateful failover with CARP and pfsync). Joe
|