HOWTO: Block RFC 1918 outbound

nfr · Aug 23, 2017, 4:48 PM

To create RFC 1918 outgoing firewall rules, go to Firewall / Rules / Floating click add. Under Firewall Rule select action to block, select the internet facing interface(s), direction to detect as out, set the ip address family to the correct version and protocol to any. Set the destination as network and set the network to a local range you want to block (example 192.168.0.0/16). Under extra options check the log check box to log the packets. Repeat creating rules for the private address ranges of: 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 fc00::/7 .

Derelict · Aug 23, 2017, 5:20 PM

I prefer Reject there over block.

I would also make an alias and use that as the destination for the rule.

I currently reject these outbound:

UNROUTABLEV4 Table
IP Address
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.2.0/24
192.168.0.0/16
198.51.100.0/24
203.0.113.0/24

johnpoz · Aug 24, 2017, 1:44 PM

Derelict do you log that - curious how many hits you get on such a rule. Such a rule makes sense to be a nice netizen and not send out what amounts to noise to your isp.. But the only scenario this should come into play is something misconfigured or rouge on your network that would be trying to talk to those network that do not exist on your local network..

For example in what possible scenario would an 127.0.0.0/8 address every be sent out your wan interface? I don't see how that should/could ever happen..

Couldn't you just use the bogon table for this rule anyway - vs having to create your own alias?

Aren't you missing a few?
198.18.0.0/15
192.88.99.0/24

All of those plus some others that shouldn't hit the net are all in bogon..
http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

Derelict · Aug 24, 2017, 3:41 PM

I am mostly concerned about the ones I might use in here. It's usually something lab-oriented.

If an OpenVPN is down for some reason you can also leak RFC1918.

I don't feel like going through the logs but it's not zero.

![Screen Shot 2017-08-24 at 8.40.28 AM.png](/public/imported_attachments/1/Screen Shot 2017-08-24 at 8.40.28 AM.png)
![Screen Shot 2017-08-24 at 8.40.28 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-24 at 8.40.28 AM.png_thumb)

nfr · Aug 24, 2017, 4:06 PM

After setting up these rules and logging a couple of items were found. The most interesting was outgoing packets to 192.168.0.3 from several powered down systems with DASH enabled in the BIOS. The systems were sending out requests on port 162 with a MIB of .1.3.6.1.4.1.3183.1.1 . After disabling DASH the traffic disappeared. I get a few logged packets every day mostly from websites with errors in the code from testing.