Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ridicoulus amount of private traffic hitting WAN

    Scheduled Pinned Locked Moved Firewalling
    23 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      furom @johnpoz
      last edited by

      @johnpoz said in Ridicoulus amount of private traffic hitting WAN:

      you could really debate the usefulness of blocking rfc or bogon

      The way you put it, yes, sounds reasonable. I just have them on as it is the pfSense recommended way. As is right now at least, I have no need for any open ports, but still want to build in a way I could open some and not having to reinvent the whole wheel...

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @furom
        last edited by johnpoz

        @furom haha lets go through a scenario that you do open a port.

        Is this something you would open to the whole internet? If so what is the difference if someone on your same ISP or some device your isp was trying to talk to this open port from say rfc1918.. Your open to the whole internet anyway.

        Better practice if opening anything up to the internet would be to lock the access to the IPs to those that might use it.. For example in mine.. That alias includes US ip space, which does not include rfc1918.. It also includes some specific IPs for monitoring services (which some are international IP space), and I do have a user of my plex currently living in Morocco, so those IPs are allowed. Again none of this space includes rfc1918, nor bogon, nor 5375, etc. So the blocking of those before become pointless from a security point of view.. Since the port forward doesn't allow them anyway.

        Since something from bogon or rfc1918 would not be allowed anyway, nor would say an IP from DE, or Russia, etc. or China, etc. etc. The block rfc1918 and bogon rules really become pointless.

        IMHO those rules are really left over from a bygone era - I was around during that, and sure the internet was a different place then..

        We have already run into some issues here on the boards with the bogon, as new space opened up and the bogon list wasn't updated that new valid IP space was blocked as bogon.. Is there really that much space even left in there hehe.. Any who, back in the day you could not easy create an allow list with specific countries or services, etc.

        You do you - and if you feel more comfortable blocking rfc1918 and bogon and 5735 - here to help you do that for sure. But their value from a security point of view -- I'm not seeing it to be honest.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        F 1 Reply Last reply Reply Quote 1
        • F
          furom @johnpoz
          last edited by

          @johnpoz lol! Yes, if I can help it I will keep things private and locked down appropriately. I will plan that carefully if that were to happen, right now it's just a thought but have no need :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.