Bogon (0.0.0.0/8)



  • Should "0.0.0.0/8" really be a bogon?  "0.0.0.0:68" is used for DHCP request.  Not that I serve DHCP on an interface with bogon filtering enabled (e.g. WAN interface) but suppose there could be a case where it is done (e.g. LAN interface).


  • Rebel Alliance Developer Netgate

    Yes because it's not valid in the same sense that any of the other bogon networks aren't valid.

    0.0.0.0 is different than 0.0.0.0/0, and if you're serving DHCP on a subnet, you don't need to block bogons on that segment since you can just restrict the rules to only passing your specific subnet and not allow from *.



  • What about responses from DHCP server on a WAN interface?

    Seems to partially break a portion of DHCP.

    For example:
    @39 block drop in log quick on bfe0_vlan98 from bogons:4794to any label "block bogon IPv4 networks from WAN"
    Jan 19 11:12:14 WAN     0.0.0.0:68     255.255.255.255:67 UDP</bogons:4794>


  • Rebel Alliance Developer Netgate

    That's a DHCP request, not a response. A response would be let back in by the state table.



  • Regardless of request / response.  Blocking it breaks that aspect of DHCP.


  • Rebel Alliance Developer Netgate

    No, unless you are running a DHCP server on the interface, you don't want to accept that packet.

    And if you are running a DHCP server, it's an internal interface and you probably shouldn't be blocking bogons, but rather only permitting out only your specific subnet as a source.



  • That is a standard and legitimate DHCP packet.  Why would we not want to accept it?  It is part of the DHCP protocol when the client does not have a current address.


  • Rebel Alliance Developer Netgate

    It is a DHCP request from some other client, not your firewall, going to a DHCP server on your WAN segment.

    It is not traffic for your firewall, so why would you want to accept it, even if it's valid for some other host?



  • @jimp:

    It is a DHCP request from some other client, not your firewall, going to a DHCP server on your WAN segment.

    It is not traffic for your firewall, so why would you want to accept it, even if it's valid for some other host?

    This. It does not break DHCP, it blocks other hosts' DHCP traffic, which is what you want in that scenario. Blocking bogons is only relevant on Internet connections, and you never want to be serving DHCP on Internet connections. Bogons only impact DHCP from a server perspective, not client.


Locked