nanog mailing list archives
Re: BCP38 on public-facing Ubuntu servers
From: Alain Hebert <ahebert () pubnix net>
Date: Wed, 2 Jun 2021 09:23:35 -0400
And by that he means: "only a few" =D. ----- Alain Hebert ahebert () pubnix net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 6/2/21 12:40 AM, Stephen Satchell wrote:
Not every uplink service implements BCP38. When putting up servers connected more-or-less directly to the Internet through these uplinks, it would be nice if the servers themselves were able to implement ingress and egress filtering according to BCP38. (Sorry about the typo in the subject lines of my previous message -- not everyone can get a BGP feed.)(Or, when using Ubuntu server edition to implement edge routers.)My earlier query was asking if anyone has encoded the blackhole routes in YAML for inserting in netplan(5). My prior message contains the routes to be blackholed. That takes care of egress routing.(I think I can write a Python program to take my list and convert it to the YAML that netplan(5) wants to see. That way, the routes are inserted when the public interface is up, and removed when the public interface is down.)Ingress routing appears to be one-line addition. IPTABLES can be told to weed out packets with unroutable source addresses. My experiments will add something like this line to the firewall:# iptables -A INPUT -m addrtype -i enp1s0 --src-type BLACKHOLE -j DROPTHIS HAS NOT BEEN VERIFIED. I'm building a web server that will integrate this idea, and try it out.
Current thread:
- BCP38 on public-facing Ubuntu servers Stephen Satchell (Jun 01)
- RE: BCP38 on public-facing Ubuntu servers Jean St-Laurent via NANOG (Jun 02)
- Re: BCP38 on public-facing Ubuntu servers Grant Taylor via NANOG (Jun 02)
- Re: BCP38 on public-facing Ubuntu servers William Herrin (Jun 03)
- Re: BCP38 on public-facing Ubuntu servers Grant Taylor via NANOG (Jun 03)
- Re: BCP38 on public-facing Ubuntu servers Jay Vosburgh (Jun 04)
- Re: BCP38 on public-facing Ubuntu servers Fran via NANOG (Jun 08)
- Re: BCP38 on public-facing Ubuntu servers Stephen Satchell (Jun 08)
- RE: BCP38 on public-facing Ubuntu servers Jean St-Laurent via NANOG (Jun 09)
- Re: BCP38 on public-facing Ubuntu servers Grant Taylor via NANOG (Jun 02)
- RE: BCP38 on public-facing Ubuntu servers Jean St-Laurent via NANOG (Jun 02)