Should RFC1918 alias include more than just 3 or 4 subnets?



  • Hello All,

    I posed this question in one of my earlier posts (where it hasn't gotten any replies), but perhaps I should have broken it out into its own dedicated post from the very onset.

    Anyways, so there was this question/doubt as to whether subnet 127.0.0.0/8 should be blocked/rejected, by including it in a RFC1918 alias.

    In addition to that, the question I have is, whether other subnets should also be blocked?

    I ask this because I came across an excerpt (from a book on VOIP Security - see attached image) that mentions a whole bunch of subnets which must be blocked….and 127.0.0.0/8 is certainly one of them.  I do plan on having a RasPi running RasPBX behind my firewall, and the latter was the whole intent of me getting pfSense (or any firewall for that matter) installed at home.

    My RFC1918 alias currently has the following subnets included (the last one was added just two days back):

    192.168.0.0/16
        172.16.0.0
        10.0.0.0
        127.0.0.0

    The book mentions that the following subnets must also be included (refer to attached image for description of each subnet):

    0.0.0.018
        169.254.0.0/16
        192.0.2.0/24
        224.0.0.0/4
        240.0.0.0/5
        248.0.0.0/5
        255.255.255.255/32

    Makes sense, or hogwash?

    Thanks.



  • Rebel Alliance Developer Netgate

    Those are special-use nets (and that's not a complete list either!) which may or may not be useful to block depending on your network.

    Typically when people want to block "private" networks they only want the top three: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16  (be sure to get the subnet masks right on those!)



  • Oh okay….thanks for providing me that information Jimp...much appreciated!

    Somehow my subnet masks didn't get posted correctly, but they are as follows:

    192.168.0.0/16
        172.16.0.0/12
        10.0.0.0/8
        127.0.0.0/8

    Do let me know if any of those aren't correct....and whether or not the last subnet should be included in there at all.

    Cheers.


  • Rebel Alliance Developer Netgate

    Traffic from 127.0.0.0/8 is loopback and shouldn't be seen on the wire, so if you're looking to block invalid traffic, that's OK to block, but it is not what I'd consider a "private network". Bogon, sure, but not private.



  • Perfect…thanks again  :)