I can see there being a potential for issues, though there always was when it came to something like bogon filtering especially if using a list from an outdated source or failing to update it with any frequency. I personally think with this list at least one should be fairly safe I ran it for a good 6 months up until a gap starting like 2 weeks ago before and I know at least with every entry I saw in the shorewall log blocked by this filter I could temp disable it and attempt send a ping or any other icmp, tcp or udp packet towards the source address and get back an ICMP network unreachable.
It does depend on having a good quality list with the updates though, these are produced every 30-120 minutes (Always by the 2 hour point but if changes go over about a dozen they seem to push it early), and the source is from snapshotting the BGP tables which when it comes down to it if there is no route advertised in BGP for a range unless that address is on the same AS as your default route then there is no way there will be a two way communication with that host filtering or otherwise. It will get as far as your default gateway, maybe even to your ISP's edge routers but there you will get ICMP net unreach. Other thing that occurs to me is that the system administrators at most AS'es that have a clue know that it can sometimes take a day or two for a newly advertised route on BGP to actually reach all the tiny branches of the network so in much the same way as can be the case with DNS updates generally an AS will publish a route on BGP a good 24-48 hours before they actually try allocating the addresses to end users to do it any sooner is begging for unhappy customers, or plain incompetent capacity planning. Of course I'm not recommending anyone go ahead and set it up, for many it is likely unnecessary anyway, in my case I have it set up because it seems the VPN service I use has erm less than perfect filtering running, wouldn't surprise me if the spoofed packets are from other users on their network actually, certainly see enough windows netbios packets from other hosts in the VPN's virtual subnet. As for why I havn't just gone and complained to them about it and pushed them to get their act in gear basically the main reason is that I don't actually consider it my providers job to secure my hosts for me. That and if I set up filters or firewalls and screw it up then it's on me and I go fix it, a third party starts doing it and it's just a damned hastle. For most people I don't suggest setting up bogon filtering however I will still publish the script to help those who may find it of value whether simply to study it, using it as is or using it for some other purpose, it was written t be as generic as I could make it without knowing beforehand the exact format of any other lists, thus setting it up to be able to cope with standard # comments including end of lines which the current list doesn't use. Figure it might have some more mainstream use to others for example I've seen malware blacklists around in CIDR form that should work with it, advertising/tracking host lists also both of which also require a continuous regular update because malware gets fixed and new machine compromised all the time, ad hosts tend to move about or at least generally spread on a pretty regular basis. I also consider the IPv6 list in this case to be a different scenario, not only is there currently trillions of bogon IP's in IPv6 but there also seems to me to be more potential for such suspect packets to reach end user networks through various tunnels, especially such a toredo or unmanaged 6to4, combine that with the many home and business ISP's whos support for IPv6 ranges from little to none and I can see it being quite likely that there is a potential to end up with an end user who's tunnel connects directly to a toredo/6to4 relay and has a sum total of 0 filtering of any kind beyond what is set up by the user themselves on their end. I've seen numerous suspect packets when I've had an unmanaged 6to4 tunnel running myself, don't get any with the HE tunnel but HE is a large transit service provider which dual stacked their entire system feels like forever ago so they are a bit more on the ball than many. *Wishes his ISP were in the same boat there and decides to at least remain grateful that they are at least direct peers with HE and as a result the HE tunnel server is only 2 sub milisecond hops away from his ISP's edge gateway, almost as close to a direct native routing as you can get with a tunnel I suspect.* On 27/02/13 21:57, Paul Gear wrote: > On 02/24/2013 04:38 AM, Spain, Dr. Jeffry A. wrote: >> What experience have users had using ShoreWall as a bogon filter >> using the Team Cymru full bogon lists >> (http://www.team-cymru.org/Services/Bogons/http.html)? The IPv4 full >> bogon list contains over 4,600 separate networks that need to be >> denied, and the IPv6 list over 68,300. Having not tried this myself, >> I would be concerned a priori about ShoreWall server meltdown. > With IPv4 moving towards 100% allocation, bogon filters are more likely > to cause problems than block illegitimate traffic. See > http://tools.ietf.org/html/rfc6441 > the list of networks to filter > http://tools.ietf.org/html/rfc5735 > and the discussions at > http://lists.ausnog.net/pipermail/ausnog/2012-February/012133.html > and > http://lists.ausnog.net/pipermail/ausnog/2011-October/011439.html > > Paul > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
