Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Stuart_Kendrick
New Contributor

Blocking Bogons

Is anyone else doing this?

I am using the following list of reserved addresses:  https://en.wikipedia.org/.ki/Reserved_IP_addresses

Does the following look like a coherent approach?

 

config firewall address   edit "bogon-zero"     set subnet 0.0.0.0 255.0.0.0     set allow-routing enable   next   edit "bogon-rfc1918-slash-8"     set subnet 10.0.0.0 255.0.0.0     set allow-routing enable   next   edit "bogon-shared-address-space"     set subnet 100.64.0.0 255.192.0.0     set allow-routing enable   next   edit "bogon-loopback"     set subnet 127.0.0.0 255.0.0.0     set allow-routing enable   next   edit "bogon-apipa"     set subnet 169.254.0.0 255.255.0.0     set allow-routing enable   next   edit "bogon-rfc1918-slash-12"     set subnet 172.16.0.0 255.240.0.0     set allow-routing enable   next   edit "bogon-test-net-1"     set subnet 192.0.2.0 255.255.255.0     set allow-routing enable   next   edit "bogon-rfc1918-slash-16"     set subnet 192.168.0.0 255.255.0.0     set allow-routing enable   next   edit "bogon-rfc2544"     set subnet 198.18.0.0 255.254.0.0     set allow-routing enable   next   edit "bogon-test-net-2"     set subnet 198.51.0.0 255.255.255.0     set allow-routing enable   next   edit "bogon-test-net-3"     set subnet 203.0.113.0 255.255.255.0     set allow-routing enable   next end config firewall addrgrp   edit Bogons     set member "bogon-zero" "bogon-rfc1918-slash-8" "bogon-shared-address-space" "bogon-loopback" "bogon-apipa" "bogon-rfc1918-slash-12" "bogon-test-net-1" "bogon-rfc1918-slash-16" "bogon-rfc2544" "bogon-test-net-2" "bogon-test-net-3"     set color 10     set allow-routing enable   next end config router static   edit 21     set dst Bogons     set distance 254     set blackhole enable   next end

 

--sk

3 REPLIES 3
emnoc
Esteemed Contributor III

No, but i have a policy with those and martians that have src/dst address with action deny set

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi
Esteemed Contributor III

To me Bogon routes are harmful when the routes are advertised on the internet, not on private networks. Some maybe necessary in private networks, and they wouldn't hurt even the bogus/unnecessary super subnet routes existed.

So we only blocks those and all longer prefixes in them from BGP advertisement toward the Internet.

ede_pfau
Esteemed Contributor III

I use the attached config snippet to install blackhole routes for all bogon networks, with the additional quirk that they are always disregarded if there is another route with 'normal' priority.

 

Say, you have an IPsec tunnel and behind that a private network. You need to set a static route to this network in order to allow traffic to it. Now, in case the VPN breaks down, this traffic will follow the default route and be forwarded to the WAN interface. With a blackhole route, it will just be discarded. No leakage, and more important, no session buildup. The moment the tunnel is re-established, the connection is up again as it does not have to wait for session expiry of the WANbound traffic.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors