BCP38 on public-facing Ubuntu servers
Alain Hebert
ahebert at pubnix.net
Wed Jun 2 13:23:35 UTC 2021
And by that he means: "only a few" =D.
-----
Alain Hebert ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 6/2/21 12:40 AM, Stephen Satchell wrote:
> Not every uplink service implements BCP38. When putting up servers
> connected more-or-less directly to the Internet through these uplinks,
> it would be nice if the servers themselves were able to implement
> ingress and egress filtering according to BCP38. (Sorry about the
> typo in the subject lines of my previous message -- not everyone can
> get a BGP feed.)
>
> (Or, when using Ubuntu server edition to implement edge routers.)
>
> My earlier query was asking if anyone has encoded the blackhole routes
> in YAML for inserting in netplan(5). My prior message contains the
> routes to be blackholed. That takes care of egress routing.
>
> (I think I can write a Python program to take my list and convert it
> to the YAML that netplan(5) wants to see. That way, the routes are
> inserted when the public interface is up, and removed when the public
> interface is down.)
>
> Ingress routing appears to be one-line addition. IPTABLES can be told
> to weed out packets with unroutable source addresses. My experiments
> will add something like this line to the firewall:
>
> # iptables -A INPUT -m addrtype -i enp1s0 --src-type BLACKHOLE -j DROP
>
> THIS HAS NOT BEEN VERIFIED. I'm building a web server that will
> integrate this idea, and try it out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210602/8eb10f2c/attachment.html>
More information about the NANOG
mailing list