Re: Request comment: list of IPs to block outbound

[Florian Brandstetter via NANOG <nanog () nanog org>]

Hi,

sorry - but why would you want to block Teredo / 6to4?
Florian Brandstetter
President & Founder
W // https://www.globalone.io (https://link.getmailspring.com/link/5EDC7C51-257C-47AC-B303-4B5A7F6E9AD9 () 
getmailspring com/0?redirect=https%3A%2F%2Fwww.globalone.io&recipient=bmFub2dAbmFub2cub3Jn)

On Okt. 13 2019, at 5:58 pm, Stephen Satchell <list () satchell net> wrote:
> The following list is what I'm thinking of using for blocking traffic
> between an edge router acting as a firewall and an ISP/upstream. This
> table is limited to address blocks only; TCP/UDP port filtering, and IP
> protocol filtering, is a separate discussion. This is for an
> implementation of BCP-38 recommendations.
>
> I'm trying to decide whether the firewall should just blackhole these
> addresses in the routing table, or use rules in NFTABLES against source
> and destination addresses, or some combination. If NFTABLES, the best
> place to put the blocks (inbound and outbound) would be in the FORWARD
> chain, both inbound and outbound. (N.B. for endpoint boxes, they go
> into the OUTPUT chain.)
>
> In trying to research what would constitute "best practice", the papers
> I found were outdated, potentially incomplete (particularly with
> reference to IPv6), or geared toward other applications. This table
> currently does not have exceptions -- some may need to be added as a
> specific "allow" route or list.
>
> The Linux rp_filter knob is effective for endpoint servers and
> workstations, and I turn it on religiously (easy because it's the
> default). For a firewall router without blackhole routes, it's less
> effective because, for incoming packets, a source address matching one
> of your inside netblocks will pass. A subset of the list would be
> useful in endpoint boxes to relieve pressure on the upstream edge router
> -- particularly if a ne'er-do-well successfully hijacks the endpoint box
> to participate in a DDoS flood.
>
> IPv4
> Address block Scope Description
> 0.0.0.0/8 Software Current network (only valid as
> source address).
> 10.0.0.0/8 Private network Used for local communications
> within a private network.
> 100.64.0.0/10 Private network Shared address space[3] for
> communications between a service
> provider and its subscribers
> when using a carrier-grade NAT.
> 127.0.0.0/8 Host Used for loopback addresses to
> the local host.
> 169.254.0.0/16 Subnet Used for link-local addresses
> between two hosts on a single
> link when no IP address is
> otherwise specified, such as
> would have normally been
> retrieved from a DHCP server.
> 172.16.0.0/12 Private network Used for local communications
> within a private network.
> 192.0.0.0/24 Private network IETF Protocol Assignments.
> 192.0.2.0/24 Documentation Assigned as TEST-NET-1,
> documentation and examples.
> 192.88.99.0/24 Internet Reserved. Formerly used for
> IPv6 to IPv4 relay
> 192.168.0.0/16 Private network Used for local communications
> within a private network.
> 198.18.0.0/15 Private network Used for benchmark testing of
> inter-network communications
> between two separate subnets.
> 198.51.100.0/24 Documentation Assigned as TEST-NET-2,
> documentation and examples.
> 203.0.113.0/24 Documentation Assigned as TEST-NET-3,
> documentation and examples.
> 224.0.0.0/4 Internet In use for IP multicast.
> 240.0.0.0/4 Internet Reserved for future use.
> 255.255.255.255/32 Subnet Reserved for the "limited
> broadcast" destination address.
>
> IPv6
> Address block Usage Purpose
> ::/0 Routing Default route.
> ::/128 Software Unspecified address.
> ::1/128 Host Loopback address to local host.
> ::ffff:0:0/96 Software IPv4 mapped addresses.
> ::ffff:0:0:0/96 Software IPv4 translated addresses.
> 64:ff9b::/96 Global Internet IPv4/IPv6 translation.
> 100::/64 Routing Discard prefix.
> 2001::/32 Global Internet Teredo tunneling.
> 2001:20::/28 Software ORCHIDv2.
> 2001:db8::/32 Documentation Addresses used in documentation
> and example source code.
> 2002::/16 Global Internet The 6to4 addressing scheme
> fc00::/7 Private network Unique local address.
> fe80::/10 Link Link-local address.
> ff00::/8 Global Internet Multicast address.