Re: [pfSense-discussion] Re: ARIN space not accepted

[Chris Buechler]

On Sat, Dec 11, 2010 at 11:23 AM, Gé Weijers g...@weijers.org wrote:


 [...]  That means, prior to end of Q1, the bogon list will be:

 0/8
 10/8
 127/8
 172.16/12
 192.168/16
 224/3

 There's a number of special-use ranges that are not in this list, but which
 should not occur as (source) addresses on the internet. So if you're
 manually configuring a list and are sufficiently paranoid refer to RFC5735
 and use these additional ones:


 192.0.0/24    (future-use special purpose)
 192.0.2/24    (TEST-NET-1)
 198.18/15     (benchmark testing of interconnect devices)
 198.51.100/24 (TEST-NET-2)
 203.0.113/24  (TEST-NET-3)

 You should filter these source addresses as well:

 169.254/16    (link-local addresses)
 192.88.99/24  (6to4 anycast, not a valid *source* address)


The bogons list we use is from Cymru, it includes all of the above
with the exception of 6to4 anycast.

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense-discussion] Re: ARIN space not accepted

[Nathan Eisenberg]

 -Original Message-
 From: Scott Ullrich [mailto:sullr...@gmail.com]
 Sent: Saturday, December 04, 2010 11:47 AM
 To: discussion@pfsense.com
 Subject: Re: [pfSense-discussion] Re: ARIN space not accepted
 
 On Sat, Dec 4, 2010 at 7:26 AM, Eugen Leitl eu...@leitl.org wrote:
  - Forwarded message from Leo Bicknell bickn...@ufp.org -
 
  From: Leo Bicknell bickn...@ufp.org
  Date: Fri, 3 Dec 2010 14:24:16 -0800
  To: na...@nanog.org
  Subject: Re: ARIN space not accepted
  Organization: United Federation of Planets
 
  In a message written on Fri, Dec 03, 2010 at 04:13:58PM -0600, Jack
 Bates wrote:
  The first takers in a space are hit the hardest. Rementioning here
 is
  important. Do a google search and find any pages still mentioning
  blocking the range. Contact them and ask them to update. Then you
 have
  to start the long list with others. it's recommended you setup a
 server
  with 2 IP addresses, one in the range, one outside the range, so
 that
  people can check against them both to verify that the problem is
 with
  the range itself. I've seen some networks that run automatic probes
 from
  both ranges and compare the results, automatically sending emails to
  whois contacts concerning the problem.
 
  For those not playing attention, the current bogon list should be:
 
  0/8
  10/8
  39/8
  102/8
  103/8
  104/8
  106/8
  127/8
  172.16/12
  179/8
  185/8
  192.168/16
  224/3
 
  It is speculated that no later than Q1, two more /8's will be
 allocated,
  triggering a policy that will give the remaining 5 /8's out to the
  RIR's.  That means, prior to end of Q1, the bogon list will be:
 
  0/8
  10/8
  127/8
  172.16/12
  192.168/16
  224/3
 
  I'd suggest it would be good if folks updated to that now, to prevent
  these sorts of problems.  I promise, this time it is the last update
  you'll need to do. :)
 
  --
        Leo Bicknell - bickn...@ufp.org - CCIE 3440
         PGP keys at http://www.ufp.org/~bicknell/
 
 
 
  - End forwarded message -
 
 Anyone needing to update their bogons can run this from a command
 prompt (shell - option #8):
 
 /etc/rc.update_bogons.sh now
 exit
 
 Scott
 
 -
 To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
 For additional commands, e-mail: discussion-h...@pfsense.com
 
 Commercial support available - https://portal.pfsense.org
 
 
 
How often is this automatically done?

Best Regards,
Nathan Eisenberg


-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org