Re: BCP38 on public-facing Ubuntu servers

[Alain Hebert <ahebert () pubnix net>]

    And by that he means: "only a few" =D.

-----
Alain Hebert                                ahebert () pubnix net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 6/2/21 12:40 AM, Stephen Satchell wrote:
> Not every uplink service implements BCP38.  When putting up servers 
> connected more-or-less directly to the Internet through these uplinks, 
> it would be nice if the servers themselves were able to implement 
> ingress and egress filtering according to BCP38.  (Sorry about the 
> typo in the subject lines of my previous message -- not everyone can 
> get a BGP feed.)
>
> (Or, when using Ubuntu server edition to implement edge routers.)
>
> My earlier query was asking if anyone has encoded the blackhole routes 
> in YAML for inserting in netplan(5).  My prior message contains the 
> routes to be blackholed.  That takes care of egress routing.
>
> (I think I can write a Python program to take my list and convert it 
> to the YAML that netplan(5) wants to see.  That way, the routes are 
> inserted when the public interface is up, and removed when the public 
> interface is down.)
>
> Ingress routing appears to be one-line addition.  IPTABLES can be told 
> to weed out packets with unroutable source addresses.  My experiments 
> will add something like this line to the firewall:
>
> # iptables -A INPUT -m addrtype -i enp1s0 --src-type BLACKHOLE -j DROP
>
> THIS HAS NOT BEEN VERIFIED.  I'm building a web server that will 
> integrate this idea, and try it out.