Hi Tom, list members, Shorewall has NULL_ROUTE_RFC1918. I''d like to propose another one: NULL_ROUTE_RFC5737. This RFC describes the address ranges that are reserved for documentation. Quoting from https://tools.ietf.org/html/rfc5737: "The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), and 203.0.113.0/24 (TEST-NET-3) are provided for use in documentation." I''m currently blocking these by simply adding these ranges to /etc/shorewall/routes. But it would be nice to set it in shorewall.conf because this will give (blocking) these particular subnets a bit more attention. And while on the topic; perhaps for IPv6/shorewall6 there can be a NULL_ROUTE_RFC4193 and NULL_ROUTE_RFC3849 that would null-route respectively the fc00::/7 range which is reserved for Unique Local IPv6 Unicast Addresses, and the 2001:DB8::/32 range which is reserved for documentation. https://tools.ietf.org/html/rfc4193 https://tools.ietf.org/html/rfc3849 This would be convenient and someone who would use these ranges either with IPv4 and/or with IPv6 could set ROUTE_FILTER=Yes. What do you think? :) Thanks, Mark ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> And while on the topic; perhaps for IPv6/shorewall6 there can be a > NULL_ROUTE_RFC4193 and NULL_ROUTE_RFC3849 that would null-route > respectively the fc00::/7 range which is reserved for Unique Local IPv6 > Unicast Addresses, and the 2001:DB8::/32 range which is reserved for > documentation.Another range (yes, sorry, hehe) one might want to block is from the deprecated 6bone ranges defined in RFC 3701 which actually describes two blocks that are no longer operational: 5F00::/8 (TEST_OLD) 3FFE::/16 (TEST_NEW) One might think that it''s overkill to block these since they are no longer used. In my opinion it''s better to filter out these ranges on the local end than relying on the remote end. Consider the following document for instance: http://www.sixxs.net/archive/docs/IEPG2013_ULA_in_the_wild.pdf And a synopsis: http://www.sixxs.net/news/2013/#ulainthewild-0728 Quote: Geoff Huston presented at the IEPG meeting his findings of ULA in the Wild. He found amongst others that there is a large amount of networks apparently using fd00::/48. [...] As a responsible network administrator one does conform to BCP-38 which solves a number of potential attacks against your network and prevents these kind of leaks. Mark ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk