Block private & bogon networks



  • Hello!

    I have a 6 NIC box, with 3 LAN and 3 WAN. The options [Block private networks] & [Block bogon networks] appear only on the first WAN interface of pfSense.

    If I want to filter private & bogon networks at my 3 WAN …

    Must I to define an [Aliases] for private & bogon networks and put blocking rules at my 3 WAN ?

    Is it correct ?

    Note: I have an snort machine at the LAN side and sometimes it detects some packets from private & bogons networks.

    Regards,

    Josep Pujadas



  • I'd hope you're using "private" (RFC1918) addresses on your LAN, unless of course you've been allocated a netblock of your own…



  • Yes, of course …

    But sometimes I see things like these:

    Generated by BASE v1.3.5 (marie) on Thu, 17 May 2007 20:58:05 +0200

    #1-59854| [2007-05-16 11:53:48] 10.2.44.1 -> 192.168.XXX.XXX [local/485] [snort/1:485]  ICMP Destination Unreachable Communication Administratively Prohibited
    #1-59855| [2007-05-16 11:53:51] 10.2.44.1 -> 192.168.XXX.XXX [local/485] [snort/1:485]  ICMP Destination Unreachable Communication Administratively Prohibited
    #1-59856| [2007-05-16 11:53:54] 10.2.44.1 -> 192.168.XXX.XXX [local/485] [snort/1:485]  ICMP Destination Unreachable Communication Administratively Prohibited
    #1-59858| [2007-05-16 11:53:57] 10.2.44.1 -> 192.168.XXX.XXX [local/485] [snort/1:485]  ICMP Destination Unreachable Communication Administratively Prohibited
    #1-59859| [2007-05-16 11:54:03] 10.2.44.1 -> 192.168.XXX.XXX [local/485] [snort/1:485]  ICMP Destination Unreachable Communication Administratively Prohibited
    #1-59861| [2007-05-16 11:54:15] 10.2.44.1 -> 192.168.XXX.XXX [local/485] [snort/1:485]  ICMP Destination Unreachable Communication Administratively Prohibited

    and if I made (with one of my FreeBSD servers at LAN side):

    nmap -v -P0 10.2.44.1

    10.2.44.1 has no ports opened but it is alive !!!

    Regards,

    Josep Pujadas



  • A number of ISPs use RFC1918 addresses internally - certainly my initial DHCP lease comes from a 10.x address and parts of my traceroute to the Internet go through various RFC1918 addresses.  Also, many cable and ADSL modems have an RFC1918 configuration address.

    In short - I'm not surprised by what you're seeing.



  • Ok!

    Thanks, Cry


Log in to reply