Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HOWTO: Block RFC 1918 outbound

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 672 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nfr
      last edited by

      To create RFC 1918 outgoing firewall rules, go to Firewall / Rules / Floating click add. Under Firewall Rule select action to block, select the internet facing interface(s), direction to detect as out, set the ip address family to the correct version and protocol to any. Set the destination as network and set the network to a local range you want to block (example 192.168.0.0/16). Under extra options check the log check box to log the packets. Repeat creating rules for the private address ranges of: 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 fc00::/7 .

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I prefer Reject there over block.

        I would also make an alias and use that as the destination for the rule.

        I currently reject these outbound:

        UNROUTABLEV4 Table
        IP Address
        10.0.0.0/8
        100.64.0.0/10
        127.0.0.0/8
        169.254.0.0/16
        172.16.0.0/12
        192.0.2.0/24
        192.168.0.0/16
        198.51.100.0/24
        203.0.113.0/24

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Derelict do you log that - curious how many hits you get on such a rule.  Such a rule makes sense to be a nice netizen and not send out what amounts to noise to your isp..  But the only scenario this should come into play is something misconfigured or rouge on your network that would be trying to talk to those network that do not exist on your local network..

          For example in what possible scenario would an 127.0.0.0/8 address every be sent out your wan interface?  I don't see how that should/could ever happen..

          Couldn't you just use the bogon table for this rule anyway - vs having to create your own alias?

          Aren't you missing a few?
          198.18.0.0/15
          192.88.99.0/24

          All of those plus some others that shouldn't hit the net are all in bogon..
          http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I am mostly concerned about the ones I might use in here. It's usually something lab-oriented.

            If an OpenVPN is down for some reason you can also leak RFC1918.

            I don't feel like going through the logs but it's not zero.

            ![Screen Shot 2017-08-24 at 8.40.28 AM.png](/public/imported_attachments/1/Screen Shot 2017-08-24 at 8.40.28 AM.png)
            ![Screen Shot 2017-08-24 at 8.40.28 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-24 at 8.40.28 AM.png_thumb)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • N
              nfr
              last edited by

              After setting up these rules and logging a couple of items were found. The most interesting was outgoing packets to 192.168.0.3 from several powered down systems with DASH enabled in the BIOS. The systems were sending out requests on port 162 with a MIB of .1.3.6.1.4.1.3183.1.1 . After disabling DASH the traffic disappeared. I get a few logged packets every day mostly from websites with errors in the code from testing.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.