Monday, May 04, 2020

Re: pf table for all publicly routable ipv4 addresses

Just a question and a thought may be.

I am not sure why having this pass valid table oppose to block.

The reason is that if you pass all valid IP's then some service you want
to block, don't you have to add more rules to do that oppose to only
allow incoming from service you want?

Look to me you do

1. Block all.

2. Pass all valid IPv4

3. Block to protect devices you want not to be open to all.

4. allow specific services on the above one.

May be I don't get it. You may have a very valid reason or preference,
but thinking about it, I see it as being more confusing and less
efficient in global numbers or rules.

Me I have for the relevant part.


# Block of IP's that shouldn't ever be seen on the Interent.
# Refer to RFC 919, 922, 1122, 1918, 3171, 3927, 5735, 5736,
# 5737 and 5771
# When CARP is use, without peercarp, don't block multicast 224.0.0.0/24
table <reserved> const { 0/8, 10/8, 100.64/10, 127/8, 169.254/16, /
172.16/12, 192/24, 192.0.2/24, 192.168/16, 198.18/15, /
198.51.100/24, 203.0.113/24, 224/4, 240/4, 255.255.255.255/32 }

...

# Drop all packets from the reserved address space.
block drop quick on egress inet from <reserved>
block drop quick on egress inet to <reserved>

....

May be this is useful or not.

Just wanted to offer you food for thought just in case.

Do as you see fit, may be I am wrong, I assume no one else or sure a
very limited numbers of users would do as you want, pass all and then
block later. In any case what do I know really, I am more then welling
to be wrong.

I think you have way less chance of mistake when you block all and only
allow what you need.

Daniel


On 5/4/20 4:42 PM, Marko Cupać wrote:
> On 2020-05-04 19:23, Stuart Henderson wrote:
>> On 2020-05-04, Marko Cupać <marko.cupac@mimar.rs> wrote:
>>> Hi,
>>>
>>> I'd like to create pf table "all publicly routable ipv4 addresses". Is
>>> this possible with some short syntax?
>>>
>>> Thank you in advance.
>>>
>>
>> something like this?
>>
>> # https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
>> table <routable> {
>>     !0.0.0.0/8
>>     !10.0.0.0/8
>>     !100.64.0.0/10
>>     !127.0.0.0/8
>>     !169.254.0.0/16
>>     !172.16.0.0/12
>>     !192.0.0.0/24
>>     !192.0.2.0/24
>>     !192.168.0.0/16
>>     !198.18.0.0/15
>>     !198.51.100.0/24
>>     !203.0.113.0/24
>>     !224.0.0.0/3
>> }
>
> Yes. I want to have the opposite of <martians> table described in pf faq:
> https://www.openbsd.org/faq/pf/example1.html#pf
>
> ...so I can permit hosts on guest vlan access Internet hosts, but not
> hosts on other private vlans similar to:
>
> block log all
> pass in on $guest_vlan from $guest_vlan:network to <routable>
>
> However, this apparently doesn't work. If I tested well, your <routable>
> table expands to "no addresses", not "all addresses but those".
>
> I thought I could do such table like this:
>
> table <routable> {    0.0.0.0/0 \
>                      !0.0.0.0/8 \
>                          ...
>                    !224.0.0.0/3 }
>
> ...but https://www.openbsd.org/faq/pf/tables.html#addr states that "One
> limitation when specifying addresses is that 0.0.0.0/0 and 0/0 will not
> work in tables".
>
> I know I can solve this by reordering rules, and using block instead of
> pass, but I'd really like to have a table of all publicly routable ip
> addresses in pf.
>
> Regards,

No comments:

Post a Comment