Bogon Rules
-
I'm hoping one of you can help me wrap my head around the need for bogon rules at the firewall.
Assume the Wan interface faces the internet.
I am of the mindset that a Stateful Firewall will only allow inbound Wan traffic that matches up with an outgoing State Table entry. Eg: Client makes a connection request to some server on the Net, the firewall notes it and makes the table entry. Return traffic is bounced against the table entry and if it matches up, is allowed back in. Otherwise it's dropped at the firewall.
So, unless a client is trying to access a server in Bogon address space, ( unlikely, and would it even route ? ) I don't see how any Bogon address could make it through the firewall to begin with.
Unless I'm not thinking this out right, which is also entirely possible.
Thoughts ?
-
Port forwards for internal servers. You don't want bogon space hitting your public servers since nothing good comes from bogonland.
-
@OP - your analysis is correct - if WAN already has the default block all and no pass rules then nothing gets in from anywhere, including from bogon land.
As KOM says, you only need it if you have some pass rule/s on WAN. Port forwarding in to a server is an example. Others are OpenVPN server listening for site-to-site or road warrior incoming connections, you don't want to even consider incoming connection attempts from bogon addresses. -
Good deal.
I normally don't port forward much of anything through my home network*, rather I utilize a VPN if I need to access home resources while out and about :D
I had seen this recommendation before concerning blocking of the Bogon addresses, but didn't know if it was an outdated one or if there were specific reasons behind it.
Thanks for the heads up.
*Anyone who has perused the router / firewall logs over any given day knows why :D
-
The thing with bogon is your isp sholdn't route them in the first place.. So the odds that anything from bogon could hit your forwards should be impossible in the first place.
-
Having bogon rules on on my wan interface blocked dhcp6 responses from my isp. That I can't explain.
-
Well what did the dhcpv6 response come from? Have to assume something listed in the bogon ;)
-
Well what did the dhcpv6 response come from? Have to assume something listed in the bogon ;)
It came from a 8000::/1 subnet blocked by bogons. Keeps getting broken every couple of months. https://redmine.pfsense.org/issues/3395
-
I am not sure that is a sane setup. That includes all link local, does it not?
If me I would just remove bogon, or use the list in your own alias so you can edit as you see fit.
-
I am not sure that is a sane setup. That includes all link local, does it not?
Yes. It includes all link-local and I keep being told by the devs how perfectly fine that it. (There's another thread about CGN, broadcast and other crap in bogons elsewhere, see https://forum.pfsense.org/index.php?topic=88215.0)
If me I would just remove bogon, or use the list in your own alias so you can edit as you see fit.
So far, I was unable to find a clean bogons source file. Even the one from iBlocklist comes with 172.16/12 for whatever reason, even though the remaining RFC1918 ranges are not there. It also comes with the IPv4 broadcast ranges - 240/4. Noone wants to maintain/update that manually. (As for IPv6, cannot find any useful alternative source.)
What's really needed is the "Fullogons" list minus the (Un)aggregated one - http://www.team-cymru.org/Services/Bogons/http.html. ::) >:(
-
Short answer for me….
I'm using v2.2 release. Our company's WAN connection drops about once every 24 hours due to some bogon related failure. I turn off "block bogon networks" for the WAN interface and everything works. Didn't have this problem with the previous release.
Short question for me…
When will this be fixed?
I'm experiencing the exact same problem at home… same version of pfsense. Different ISP. Home = Cableone, Work = Comcast business.
-
I'm using v2.2 release. Our company's WAN connection drops about once every 24 hours due to some bogon related failure. I turn off "block bogon networks" for the WAN interface and everything works. Didn't have this problem with the previous release.
Again, https://redmine.pfsense.org/issues/3395 - this blocks DHCPv6.
Short question for me…
When will this be fixed?Unless you mean the specific issue with DHCPv6 above, probably never. I gave up on this. If you want DHCPv6 fixed, make noise on the linked bug.
-
pfsense is not the source of the bogon list are they, they pull it from elsewhere I thought. So not sure how pfsense would fix it other than doing their own manipulation of the bogon. If pfsense is doing their own list they maintain than it should be easy fix..
I personally don't agree with 8000::/1 since that includes all the link local..
So they do maintain it?
https://doc.pfsense.org/index.php/Show_Bogons
"pfSense maintains an internal list of "bogon" networks"Does that mean there is copy on pfsense, or that is downloaded from source x?? Or that pfsense creates this list that all the installs download from pfsense.org? And maintain it on the install?
From that bug report looks like pulled from here "8000::/1 is included in Cymru's v6 bogons list."
Guess could complain to them that 8000::/1 causes problems since it includes stuff that should be allowed.
-
pfsense is not the source of the bogon list are they, they pull it from elsewhere I thought. So not sure how pfsense would fix it other than doing their own manipulation of the bogon.
Well, that's already being done in /etc/rc.update_bogons.sh - unfortunately the job is vastly incomplete.
egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /etc/bogons egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6
-
Agreed if they are going to manipulate it, they should take it to the next level and pull the stuff out of 8000::/1 that should be allowed.
-
You could manually clear an entry in the Bogon table after each Bogon Update. Or add a Cron job to run immediately after the Bogon updates.
To list whats in the Bogons file
pfctl -t bogons -T showTo clear an entry
pfctl -t bogons -T deleteWith pfBlockerNG, you could disable the pfSense Bogon feature. Then Download the Bogon list from Team Cymru.org directly. pfBlockerNG will allow you to suppress any entries automatically on download. Then you can create an "Autorule" or a custom "Alias" to use in the firewall as required.
As doktornotor pointed out the rc.update_bogons.sh script is only removing the following entries.
v4 - "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8"
v6 - "^fc00::/7" -