nanog mailing list archives
Re: Request comment: list of IPs to block outbound
From: Grant Taylor via NANOG <nanog () nanog org>
Date: Sun, 13 Oct 2019 18:35:31 -0600
On 10/13/19 9:58 AM, Stephen Satchell wrote:
The Linux rp_filter knob is effective for endpoint servers and workstations, and I turn it on religiously (easy because it's the default).
I think it's just as effective on routers as it is on servers and workstations.
For a firewall router without blackhole routes, it's less effective because, for incoming packets, a source address matching one of your inside netblocks will pass.
I'm not following that statement. Is incoming a reference to packets from the Internet to your LAN? Or is incoming a reference to packets coming in any interface, thus possibly including from your LAN to the Internet?
Even without blackhole (reject) routes, a packet from the Internet spoofing a LAN IP will be rejected by rp_filter because it's coming in an interface that is not an outgoing interface for the purported source IP.
A subset of the list would be useful in endpoint boxes to relieve pressure on the upstream edge router -- particularly if a ne'er-do-well successfully hijacks the endpoint box to participate in a DDoS flood.
rp_filtering will filter packets coming in from the internal endpoint that's been compromised if the packets spoof a source from anywhere by the local LAN. (No comment about spoofing different LAN IPs.)
I've been exceedingly happy with rp_filter and blackhole (reject) routes.I've taken this to another level where I have multiple routing tables and rules that cascade across tables. One of the later rules is a routing table for any and all bogons & RFC 3330. I am still able to access specific networks that fall into RFC 3330 on internal lab networks without a problem because those prefixes are found in routing tables that are searched before the bogon table that black holes (rejects) the packets. IMHO it works great. (I really should do a write up of that.)
I think you should seriously re-consider using rp_filter on a router. -- Grant. . . . unix || die
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Request comment: list of IPs to block outbound Stephen Satchell (Oct 13)
- Re: Request comment: list of IPs to block outbound Florian Brandstetter via NANOG (Oct 13)
- Re: Request comment: list of IPs to block outbound Stephen Satchell (Oct 13)
- Re: Request comment: list of IPs to block outbound Brandon Martin (Oct 13)
- Re: Request comment: list of IPs to block outbound Stephen Satchell (Oct 13)
- Re: Request comment: list of IPs to block outbound Seth Mattinen (Oct 13)
- Re: Request comment: list of IPs to block outbound William Herrin (Oct 13)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 13)
- Re: Request comment: list of IPs to block outbound Måns Nilsson (Oct 22)
- Re: Request comment: list of IPs to block outbound Enno Rey (Oct 13)
- Re: Request comment: list of IPs to block outbound Grant Taylor via NANOG (Oct 13)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 13)
- Re: Request comment: list of IPs to block outbound Vincent Bernat (Oct 13)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 15)
- Re: Request comment: list of IPs to block outbound Lukas Tribus (Oct 18)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 18)
- Re: Request comment: list of IPs to block outbound Chris Jones (Oct 18)
- Re: Request comment: list of IPs to block outbound Lukas Tribus (Oct 18)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 19)
- Re: Request comment: list of IPs to block outbound Lukas Tribus (Oct 20)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 20)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 13)
- Re: Request comment: list of IPs to block outbound Florian Brandstetter via NANOG (Oct 13)