Create rule with bogons
-
pfSense has a great feature that allows the user to block traffic from private, loopback and reserved address spaces with the simple checking of a couple boxes. It seems like an obvious extension of this functionality was missed in that I don't see any way to also block traffic to these same addresses.
rfc1918 states that "Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such information the rejection shall not be treated as a routing protocol error."
Is there a way to leverage these tables or aliases when creating my own firewall rules? It's easy enough to create my own alias for rfc1918 addresses, but maintaining other aliases for reserved networks, which change from time to time, seems unwieldy, especially when this appears to be a solved problem with pfSense's existing backend tables.
Does this possibility already exist? If not, is there a reason it isn't available?
-
By default, pfSense blocks everything incoming. This means you have to specifically enable what you want to come in. Also, the ISPs should also be blocking those addresses.
-
Hmm I think his questions is how to use the bogons table in own Firewall Rules.
-Rico
-
@JKnott said in Create rule with bogons:
By default, pfSense blocks everything incoming.
True on the WAN. But on the LAN it allows every destination. In other words, a LAN host can send a packet to a private IP address and pfSense will dutifully forward it out the WAN if there's no matching local route. rfc1918 says you should not do that.
@JKnott said in Create rule with bogons:
Also, the ISPs should also be blocking those addresses.
What if pfSense is the ISP?
@Rico said in Create rule with bogons:
Hmm I think his questions is how to use the bogons table in own Firewall Rules.
Yes, that's the question, and that would be lovely.