• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Why Bogon & RFC 1918 block rules are a WAN interface default when there is an Implicit Deny rule?

Scheduled Pinned Locked Moved Firewalling
6 Posts 4 Posters 711 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    aaronater
    last edited by Jul 1, 2019, 11:06 PM

    Why Bogon & RFC 1918 block rules are a WAN interface default when there is an Implicit Deny rule?

    Not trying to dismantle or complain about the design decisions behind this implementation, for I just want to understand the reasoning behind having these explicit rules in place as a default for WAN interfaces when all incoming traffic is already implicitly denied?

    I understand what the rules are doing and what they are intended for to block. I have also reviewed in the book.

    Maybe some scenarios or use cases would be helpful because to me it seems redundant to have those two rules ON as a default.

    Thanks!

    1 Reply Last reply Reply Quote 0
    • N
      NogBadTheBad
      last edited by Jul 2, 2019, 6:16 AM

      @aaronater said in Why Bogon & RFC 1918 block rules are a WAN interface default when there is an Implicit Deny rule?:

      Not trying to dismantle or complain about the design decisions behind this implementation, for I just want to understand the reasoning behind having these explicit rules in place as a default for WAN interfaces when all incoming traffic is already implicitly denied?
      I understand what the rules are doing and what they are intended for to block. I have also reviewed in the book.
      Maybe some scenarios or use cases would be helpful because to me it seems redundant to have those two rules ON as a default.
      Thanks

      You wouldn't normally see them on the WAN port and if you do they are very suspect.

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Jul 2, 2019, 12:26 PM

        Once you start passing things on the WAN, for example, NAT port forwards, then you still don't want to allow traffic in from invalid sources.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        A 1 Reply Last reply Jul 2, 2019, 8:16 PM Reply Quote 1
        • A
          aaronater @jimp
          last edited by Jul 2, 2019, 8:16 PM

          @jimp

          I see.

          So in the event you need a rule on the WAN that allows any source traffic to pass through, those two rules applied by default are there to help quality check the sources coming in based on the predefined & updated lists.

          Since it is applied by default, seems safe to say this is an encouraged best practice.

          Thanks for the quick response! Appreciate the help in clearing the curiosity even though I know leaving it on wouldn't hurt anything regardless.

          Great design.

          J 1 Reply Last reply Jul 2, 2019, 8:28 PM Reply Quote 0
          • J
            JKnott @aaronater
            last edited by Jul 2, 2019, 8:28 PM

            @aaronater said in Why Bogon & RFC 1918 block rules are a WAN interface default when there is an Implicit Deny rule?:

            So in the event you need a rule on the WAN that allows any source traffic to pass through

            That's actually quite common. Unless you know specifically where traffic is coming from, you generally allow any source address. This just ensures they're actually valid source addresses.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            A 1 Reply Last reply Jul 2, 2019, 9:08 PM Reply Quote 1
            • A
              aaronater @JKnott
              last edited by Jul 2, 2019, 9:08 PM

              @JKnott

              Makes sense. Thanks

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received