Is anyone else doing this?
I am using the following list of reserved addresses: https://en.wikipedia.org/.ki/Reserved_IP_addresses
Does the following look like a coherent approach?
config firewall address edit "bogon-zero" set subnet 0.0.0.0 255.0.0.0 set allow-routing enable next edit "bogon-rfc1918-slash-8" set subnet 10.0.0.0 255.0.0.0 set allow-routing enable next edit "bogon-shared-address-space" set subnet 100.64.0.0 255.192.0.0 set allow-routing enable next edit "bogon-loopback" set subnet 127.0.0.0 255.0.0.0 set allow-routing enable next edit "bogon-apipa" set subnet 169.254.0.0 255.255.0.0 set allow-routing enable next edit "bogon-rfc1918-slash-12" set subnet 172.16.0.0 255.240.0.0 set allow-routing enable next edit "bogon-test-net-1" set subnet 192.0.2.0 255.255.255.0 set allow-routing enable next edit "bogon-rfc1918-slash-16" set subnet 192.168.0.0 255.255.0.0 set allow-routing enable next edit "bogon-rfc2544" set subnet 198.18.0.0 255.254.0.0 set allow-routing enable next edit "bogon-test-net-2" set subnet 198.51.0.0 255.255.255.0 set allow-routing enable next edit "bogon-test-net-3" set subnet 203.0.113.0 255.255.255.0 set allow-routing enable next end config firewall addrgrp edit Bogons set member "bogon-zero" "bogon-rfc1918-slash-8" "bogon-shared-address-space" "bogon-loopback" "bogon-apipa" "bogon-rfc1918-slash-12" "bogon-test-net-1" "bogon-rfc1918-slash-16" "bogon-rfc2544" "bogon-test-net-2" "bogon-test-net-3" set color 10 set allow-routing enable next end config router static edit 21 set dst Bogons set distance 254 set blackhole enable next end
--sk
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
No, but i have a policy with those and martians that have src/dst address with action deny set
Ken Felix
PCNSE
NSE
StrongSwan
To me Bogon routes are harmful when the routes are advertised on the internet, not on private networks. Some maybe necessary in private networks, and they wouldn't hurt even the bogus/unnecessary super subnet routes existed.
So we only blocks those and all longer prefixes in them from BGP advertisement toward the Internet.
I use the attached config snippet to install blackhole routes for all bogon networks, with the additional quirk that they are always disregarded if there is another route with 'normal' priority.
Say, you have an IPsec tunnel and behind that a private network. You need to set a static route to this network in order to allow traffic to it. Now, in case the VPN breaks down, this traffic will follow the default route and be forwarded to the WAN interface. With a blackhole route, it will just be discarded. No leakage, and more important, no session buildup. The moment the tunnel is re-established, the connection is up again as it does not have to wait for session expiry of the WANbound traffic.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.