Why Bogon & RFC 1918 block rules are a WAN interface default when there is an Implicit Deny rule?



  • Why Bogon & RFC 1918 block rules are a WAN interface default when there is an Implicit Deny rule?

    Not trying to dismantle or complain about the design decisions behind this implementation, for I just want to understand the reasoning behind having these explicit rules in place as a default for WAN interfaces when all incoming traffic is already implicitly denied?

    I understand what the rules are doing and what they are intended for to block. I have also reviewed in the book.

    Maybe some scenarios or use cases would be helpful because to me it seems redundant to have those two rules ON as a default.

    Thanks!


  • Galactic Empire

    @aaronater said in Why Bogon & RFC 1918 block rules are a WAN interface default when there is an Implicit Deny rule?:

    Not trying to dismantle or complain about the design decisions behind this implementation, for I just want to understand the reasoning behind having these explicit rules in place as a default for WAN interfaces when all incoming traffic is already implicitly denied?
    I understand what the rules are doing and what they are intended for to block. I have also reviewed in the book.
    Maybe some scenarios or use cases would be helpful because to me it seems redundant to have those two rules ON as a default.
    Thanks

    You wouldn't normally see them on the WAN port and if you do they are very suspect.


  • Rebel Alliance Developer Netgate

    Once you start passing things on the WAN, for example, NAT port forwards, then you still don't want to allow traffic in from invalid sources.



  • @jimp

    I see.

    So in the event you need a rule on the WAN that allows any source traffic to pass through, those two rules applied by default are there to help quality check the sources coming in based on the predefined & updated lists.

    Since it is applied by default, seems safe to say this is an encouraged best practice.

    Thanks for the quick response! Appreciate the help in clearing the curiosity even though I know leaving it on wouldn't hurt anything regardless.

    Great design.



  • @aaronater said in Why Bogon & RFC 1918 block rules are a WAN interface default when there is an Implicit Deny rule?:

    So in the event you need a rule on the WAN that allows any source traffic to pass through

    That's actually quite common. Unless you know specifically where traffic is coming from, you generally allow any source address. This just ensures they're actually valid source addresses.



  • @JKnott

    Makes sense. Thanks


Log in to reply