Request comment: list of IPs to block outbound

Wed Oct 23 16:00:01 UTC 2019

On 10/23/19 8:18 AM, Grant Taylor via NANOG wrote:
> I suspect things like NetworkManager are somewhat at a disadvantage in
> that they are inherently machine local and don't have visibility beyond
> the directly attached network segments.  As such, they can't /safely/
> filter something that may be on the other side of a router.  Thus they
> play it safe and don't do so.

You are 100 percent correct about NetworkManager.  The facility only
manages interfaces (including VPN and bridges).  What I've done is added
the ability to install and remove null routes when the upstream
interface comes on-line and goes off-line.

So this is only the first stage of filtering.  Using NetFilter (in
CentOS 8 case, NFTABLES), I will be adding rules to implement my
policies on each system I have.  What exactly will be accepted, what
will be forwarded, what will be rejected, and what will be ignored.

What adding the null routes does is let me use the FIB test commands so
that the firewall files don't have to know the exact configuration of
networking, or have monster lists that have to be maintained.  Consider
that one suggestion from this group is to look at using
https://www.team-cymru.com/bogon-reference-http.html and doing periodic
updates of the null routes based on the information there.  (With caution.)

This is specific to Linux.  The idea is to let the computer do all the
bookkeeping work, so I don't have to.  Even if I have automation to "help".

The first application of this work will be to replace my existing
firewall router with up-to-date software and comprehensive rules to
handle NAT and DNAT, on a local network with quite a number of VLANs.