nanog mailing list archives
Re: Request comment: list of IPs to block outbound
From: William Herrin <bill () herrin us>
Date: Sun, 13 Oct 2019 09:24:39 -0700
On Sun, Oct 13, 2019 at 8:58 AM Stephen Satchell <list () satchell net> wrote:
The following list is what I'm thinking of using for blocking traffic between an edge router acting as a firewall and an ISP/upstream. This table is limited to address blocks only; TCP/UDP port filtering, and IP protocol filtering, is a separate discussion. This is for an implementation of BCP-38 recommendations.
BCP-38 as it applies to outbound traffic is more about blocking SOURCE IP addresses. You should block everything whose source IP address is not within your assigned address space.
100.64.0.0/10 Private network Shared address space[3] for communications between a service provider and its subscribers when using a carrier-grade NAT.
This space is set aside for your ISP to use. like RFC1918 but for ISPs. It is not specifically CGNAT. Unless you are an ISP using this space, you should not block destinations in this space.
224.0.0.0/4 Internet In use for IP multicast. 240.0.0.0/4 Internet Reserved for future use. 255.255.255.255/32 Subnet Reserved for the "limited broadcast" destination address.
This can be covered with a single rule: 224.0.0.0/3
IPv6 Address block Usage Purpose ::/0 Routing Default route.
The current IPv6 Internet is 2000::/3, not ::/0 and that won't change in the foreseeable future. You can tighten your filter to allow just that. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Request comment: list of IPs to block outbound Stephen Satchell (Oct 13)
- Re: Request comment: list of IPs to block outbound Florian Brandstetter via NANOG (Oct 13)
- Re: Request comment: list of IPs to block outbound Stephen Satchell (Oct 13)
- Re: Request comment: list of IPs to block outbound Brandon Martin (Oct 13)
- Re: Request comment: list of IPs to block outbound Stephen Satchell (Oct 13)
- Re: Request comment: list of IPs to block outbound Seth Mattinen (Oct 13)
- Re: Request comment: list of IPs to block outbound William Herrin (Oct 13)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 13)
- Re: Request comment: list of IPs to block outbound Måns Nilsson (Oct 22)
- Re: Request comment: list of IPs to block outbound Enno Rey (Oct 13)
- Re: Request comment: list of IPs to block outbound Grant Taylor via NANOG (Oct 13)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 13)
- Re: Request comment: list of IPs to block outbound Vincent Bernat (Oct 13)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 15)
- Re: Request comment: list of IPs to block outbound Lukas Tribus (Oct 18)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 18)
- Re: Request comment: list of IPs to block outbound Chris Jones (Oct 18)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 13)
- Re: Request comment: list of IPs to block outbound Florian Brandstetter via NANOG (Oct 13)