nanog mailing list archives
Re: Bogon filtering (don't ban me)
From: Joe Abley <jabley () isc org>
Date: Sun, 5 Dec 2004 15:55:56 -0500
On 5 Dec 2004, at 13:31, william(at)elan.net wrote:
On Sun, 5 Dec 2004, william(at)elan.net wrote:On Sun, 5 Dec 2004, Joe Abley wrote:With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to BGP updates received from individual peers which updates a pf radix table with the network received:PF and bgpd with local filter table is good when you're expecting thosefiltered ip routes to change often. But this is not true about bogonsOk, I guess I did not read original post closely enough. PF is for reinjecting routes that match local rules back into bgp, right?
No -- pf is a packet filter, and in this case the rules for what filters to packet are being driven by BGP updates instead of static config. Nothing is being re-introduced from pf into BGP.
It's very true that the routes received from the bogon servers don't change very often. However, I still very much like the idea of outsourcing the job of keeping my firewalls' bogon filters up-to-date to team cymru, rather than having to worry about doing it myself.
For looking at active routes and seeing which ones match the rules I personally use "hacked" bird daemon, but it is not ready for public testing...
I'm sure there are many ways to skin this particular house pet.OpenBSD 3.6 let me do all this stuff out-of-the-box, without installing a single other package. I find that I like that; not having to compile and tweak stuff makes me happy. I guess I'm getting old.
Joe
Current thread:
- RE: Bogon filtering (don't ban me), (continued)
- RE: Bogon filtering (don't ban me) Mark Segal (Dec 03)
- IBM --- Bogon filtering Majid Farid (Dec 03)
- RE: Bogon filtering (don't ban me) Hank Nussbacher (Dec 04)
- RE: Bogon filtering (don't ban me) Rob Thomas (Dec 04)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) Joe Abley (Dec 05)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) Ian Dickinson (Dec 05)
- Re: Bogon filtering (don't ban me) william(at)elan.net (Dec 05)
- Re: Bogon filtering (don't ban me) william(at)elan.net (Dec 05)
- Re: Bogon filtering (don't ban me) Joe Abley (Dec 05)
- Re: Bogon filtering (don't ban me) Joe Maimon (Dec 05)
- Re: Bogon filtering (don't ban me) william(at)elan.net (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Rob Thomas (Dec 05)
- Re: Bogon filtering (don't ban me) Jørgen Hovland (Dec 05)
- Re: Bogon filtering (don't ban me) Mikael Abrahamsson (Dec 05)
- Re: Bogon filtering (don't ban me) Patrick W Gilmore (Dec 05)
- RE: Bogon filtering (don't ban me) Mark Segal (Dec 03)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)