Allow specific ip private address from WAN



  • I'm getting lots of firewall log messages:

    block/1000001581 Apr 10 17:21:13 WAN Block private networks from WAN block 10/8 (1000001581) 10.139.160.1:67 255.255.255.255:68 UDP
    block/1000001581 Apr 10 17:21:11 WAN Block private networks from WAN block 10/8 (1000001581) 10.139.160.1:67 255.255.255.255:68 UDP
    block/1000001581 Apr 10 17:21:08 WAN Block private networks from WAN block 10/8 (1000001581) 10.139.160.1:67 255.255.255.255:68 UDP

    In the filterlog they are loking like that:
    Apr 10 17:21:08 TheFirewall filterlog: 59,16777216,,1000001581,em0,match,block,in,4,0x0,,64,3594,0,none,17,udp,328,10.139.160.1,255.255.255.255,67,68,308
    Apr 10 17:21:11 TheFirewall filterlog: 59,16777216,,1000001581,em0,match,block,in,4,0x0,,64,4069,0,none,17,udp,328,10.139.160.1,255.255.255.255,67,68,308
    Apr 10 17:21:13 TheFirewall filterlog: 59,16777216,,1000001581,em0,match,block,in,4,0x0,,64,4253,0,none,17,udp,328,10.139.160.1,255.255.255.255,67,68,308

    I think, this messages are coming from my cable modem or the provider.

    I didn't find a possibility to add a rule which allows this trafic as long as the RFC 1918 blocking rules are active.
    Is there a way to place such a rule before the "Block private networks" rule?

    Thanks
    Werner



  • Unfortunately, that isn't a rule that you can unset the logging on.  Go to Interfaces - WAN - Private Networks - Block private networks.  Uncheck it.  That will stop the block as well as the log entries.



  • Yes, I know that. But I don't like to open the WAN interface for private network addresses.

    Thanks for your reply.



  • The IPv4 private networks list is not long anyway, you can easily make your own alias for it and make rules using the alias. That gives you whatever flexible you like to put other rules before or after blocking private networks with or without logging or…

    192.168.0.0/16
    10.0.0.0/8
    172.16.0.0/12

    and just for completeness there is the Carrier-Grade NAT (CGN) block:
    100.64.0.0/10
    that you might see traffic from or might be in a traceroute through your ISP.



  • You're not really opening anything on WAN since any traffic still has to make it past your ruleset, just like public IP space.  The Block Private networks option just drops any packets from private space.



  • Solved!

    Thank you KOM and phil.davis for your help.

    Sincerely
    Werner


  • LAYER 8 Global Moderator

    Why would you want to allow that dhcp noise??  That is not your request for dhcp, that is others on your same isp..  There are rules to allow your dhcp request on your wan to work.

    I really don't see the point of specific blocking private or bogon to be honest.  Everything is blocked on my wan, doesn't matter if your bogon or private anyway.  The allows I have are into my vpn, don't care if you hit that with bogon address or a private - since everyone else on the public net can hit it anyway.  Same goes for my other forwards..

    If you wanted to block specific shit from hitting your services that are open/forwarded blocking bad countries netblocks might be better than some non routable address anyway.



  • My first intention was to ban this garbage from my log by creating a blocking rule without logging it.
    Second I was wondering what this is by allowing it temporarily while sniffing the traffic.

    Then the general question came up: is it possible at all to define a rule which is executed before this private and bogon network rules.


  • Banned

    @WSchweizer:

    Then the general question came up: is it possible at all to define a rule which is executed before this private and bogon network rules.

    No. Just stop logging those.


Log in to reply