Hi, sorry - but why would you want to block Teredo / 6to4? Florian Brandstetter President & Founder W // https://www.globalone.io (https://link.getmailspring.com/link/5edc7c51-257c-47ac-b303-4b5a7f6e9...@getmailspring.com/0?redirect=https%3A%2F%2Fwww.globalone.io&recipient=bmFub2dAbmFub2cub3Jn)
On Okt. 13 2019, at 5:58 pm, Stephen Satchell <l...@satchell.net> wrote: > The following list is what I'm thinking of using for blocking traffic > between an edge router acting as a firewall and an ISP/upstream. This > table is limited to address blocks only; TCP/UDP port filtering, and IP > protocol filtering, is a separate discussion. This is for an > implementation of BCP-38 recommendations. > > I'm trying to decide whether the firewall should just blackhole these > addresses in the routing table, or use rules in NFTABLES against source > and destination addresses, or some combination. If NFTABLES, the best > place to put the blocks (inbound and outbound) would be in the FORWARD > chain, both inbound and outbound. (N.B. for endpoint boxes, they go > into the OUTPUT chain.) > > In trying to research what would constitute "best practice", the papers > I found were outdated, potentially incomplete (particularly with > reference to IPv6), or geared toward other applications. This table > currently does not have exceptions -- some may need to be added as a > specific "allow" route or list. > > The Linux rp_filter knob is effective for endpoint servers and > workstations, and I turn it on religiously (easy because it's the > default). For a firewall router without blackhole routes, it's less > effective because, for incoming packets, a source address matching one > of your inside netblocks will pass. A subset of the list would be > useful in endpoint boxes to relieve pressure on the upstream edge router > -- particularly if a ne'er-do-well successfully hijacks the endpoint box > to participate in a DDoS flood. > > IPv4 > Address block Scope Description > 0.0.0.0/8 Software Current network (only valid as > source address). > 10.0.0.0/8 Private network Used for local communications > within a private network. > 100.64.0.0/10 Private network Shared address space[3] for > communications between a service > provider and its subscribers > when using a carrier-grade NAT. > 127.0.0.0/8 Host Used for loopback addresses to > the local host. > 169.254.0.0/16 Subnet Used for link-local addresses > between two hosts on a single > link when no IP address is > otherwise specified, such as > would have normally been > retrieved from a DHCP server. > 172.16.0.0/12 Private network Used for local communications > within a private network. > 192.0.0.0/24 Private network IETF Protocol Assignments. > 192.0.2.0/24 Documentation Assigned as TEST-NET-1, > documentation and examples. > 192.88.99.0/24 Internet Reserved. Formerly used for > IPv6 to IPv4 relay > 192.168.0.0/16 Private network Used for local communications > within a private network. > 198.18.0.0/15 Private network Used for benchmark testing of > inter-network communications > between two separate subnets. > 198.51.100.0/24 Documentation Assigned as TEST-NET-2, > documentation and examples. > 203.0.113.0/24 Documentation Assigned as TEST-NET-3, > documentation and examples. > 224.0.0.0/4 Internet In use for IP multicast. > 240.0.0.0/4 Internet Reserved for future use. > 255.255.255.255/32 Subnet Reserved for the "limited > broadcast" destination address. > > IPv6 > Address block Usage Purpose > ::/0 Routing Default route. > ::/128 Software Unspecified address. > ::1/128 Host Loopback address to local host. > ::ffff:0:0/96 Software IPv4 mapped addresses. > ::ffff:0:0:0/96 Software IPv4 translated addresses. > 64:ff9b::/96 Global Internet IPv4/IPv6 translation. > 100::/64 Routing Discard prefix. > 2001::/32 Global Internet Teredo tunneling. > 2001:20::/28 Software ORCHIDv2. > 2001:db8::/32 Documentation Addresses used in documentation > and example source code. > 2002::/16 Global Internet The 6to4 addressing scheme > fc00::/7 Private network Unique local address. > fe80::/10 Link Link-local address. > ff00::/8 Global Internet Multicast address. >
