Request comment: list of IPs to block outbound

Sun Oct 20 02:06:20 UTC 2019

After reviewing the comments from people on NANOG and some other
locations, I have updated my list of routes to blackhole.  The
information at the end of this contribution is taken from the
RHEL/CentOS NetworkManager dispatcher.d source file, which I use to
install and remove the blackhole routes when the WAN interface is
started and stopped.

First, let me expand on what I'm trying to do.  The NetFilter NFTABLES
includes in its tests the ability to determine if the source address of
a packet is routeable, and further classifies the result as LOCAL,
BROADCAST, UNICAST, BLACKHOLE, and PROHIBITED, among others, as well as
the interface that would be selected.

By using the routing table in this way, maintaining the configuration of
the firewall is simplified, particularly when interfaces are brought up
or taken down.  There is no coding change to the firewall.

The fact that I can't send packets upstream with bad destinations is not
the goal here.  The goal is to detect packets inbound with bad source
addresses that would affect my network, as well as ensuring that
outbound packets have good source addresses.

Herewith is the revised information for your constructive criticism:

> # Default IPv6 routing table (sorted by ipv6 address):
> # ====================================================
> # $ route -n6
> # Kernel IPv6 routing table
> # Destination                    Next Hop Flag Met Ref Use If
> # ------------------------------ -------- ---- --- --- --- -------
> # ::/0                           ::       !n   -1  1     0 lo
> # ::/0                           ::       !n   -1  1     0 lo
> # ::1/128                        ::       U    256 1     0 lo
> # ::1/128                        ::       Un   0   4     0 lo
> # fe80::/64                      ::       U    256 1     0 enp37s0
> # fe80::7285:c2ff:fec0:bdff/128  ::       Un   0   2     0 enp37s0
> # ff00::/8                       ::       U    256 6     0 enp37s0
> 
> # [-] -- not included in blacklist, part of default routes
> # [#] -- not included in blacklist, policy
> 
> # investigate https://www.team-cymru.com/bogon-reference-http.html
> # need to better understand Terendo tunneling
> # rp_filter does the same at nftables source routing check
> 
> 
> nets=" 
> 0.0.0.0/8           Software        Current network (only valid as \
>                                     source address).
> 10.0.0.0/8          Private network Used for local communications \
>                                     within a private network.
> -100.64.0.0/10      Private network Shared address space for \
>                                     communications between a \
>                                     service provider and its \
>                                     subscribers when using a \
>                                     carrier-grade NAT.
> 127.0.0.0/8         Host            Used for loopback addresses \
>                                     to the local host.
> 169.254.0.0/16      Subnet          Used for link-local addresses \
>                                     between two hosts on a single \
>                                     link when no IP address is \
>                                     otherwise specified, such as \
>                                     would have normally been \
>                                     retrieved from a DHCP server.
> 172.16.0.0/12       Private network Used for local communications \
>                                     within a private network.
> 192.0.0.0/24        Private network IETF Protocol Assignments.
> 192.0.2.0/24        Documentation   Assigned as TEST-NET-1, \
>                                     documentation and examples.
> 192.88.99.0/24      Internet        Reserved. Formerly used for \
>                                     IPv6 to IPv4 relay (2002::/16).
> 192.168.0.0/16      Private network Used for local communications \
>                                     within a private network.
> 198.18.0.0/15       Private network Used for benchmark testing of \
>                                     inter-network communications \
>                                     between two separate subnets.
> 198.51.100.0/24     Documentation   Assigned as TEST-NET-2, \
>                                     documentation and examples.
> 203.0.113.0/24      Documentation   Assigned as TEST-NET-3, \
>                                     documentation and examples.
> 224.0.0.0/4         Internet        In use for IP multicast. \
>                                     (Former Class D network).
> 240.0.0.0/4         Internet        Reserved for future use. \
>                                     (Former Class E network).
> 255.255.255.255/32  Subnet          Reserved for the 'limited \
>                                     broadcast' destination address.
> -::/0               Routing         Default route.
> ::/128              Software        Unspecified address.	
> -::1/128            Host            Loopback address to the local \
>                                     host.	
> ::ffff:0:0/96       Software        IPv4 mapped addresses.
> ::ffff:0:0:0/96     Software        IPv4 translated addresses.
> 64:ff9b::/96        Global Internet IPv4/IPv6 translation.
> 100::/64            Routing         Discard prefix.
> -2001::/32          Global Internet Teredo tunneling.
> 2001:20::/28        Software        ORCHIDv2.
> 2001:db8::/32       Documentation   Addresses used in documentation \
>                                     and example source code.
> 2002::/16           Global Internet The 6to4 addressing scheme \
>                                     (now deprecated).
> fc00::/7            Private network Unique local address.
> -fe80::/10          Link            Link-local address.
> -ff00::/8           Global Internet Multicast address.
> "