Almost everyone in IT knows the bogons, even if they don't know them by that name. They're the list of unassigned IP addresses that no one should be using on an external network. The one's most people use are the 192.168.0.0, 127.0.0.0 and 10.0.0.0 addresses, but there are nearly 50 distinct class A, B & C networks that qualify as bogons.
Unless you have a good reason, you should have ingress and egress filters on your firewalls blocking all traffic to these networks. Why? Because there's no good reason for your firewall to be passing this traffic, since the bogons are supposed to be unused. If there's traffic originating from one of these coming into your network, chances are very good it's going to be malicious. The source address of the packet is most likely forged and it's an attempt to do something bad to your network. Similarly, if your network is trying send packets to one of these networks, you either have a misconfigured host or one that's trying to connect something that doesn't exist. So in either case, you want to block the traffic before it can do harm.
So how do you block the bogons using the Cobia firewall? It's actually pretty easy, but it is somewhat
time consuming. Even the consolidated bogons list has 30 different networks that need rules written for them. If you create both ingress and egress filters for all of the networks, you have to create over 60 rules. From the firewall module, select Add Rule. I chose to name each rule "Bogon x.x.x.x" so that I could easily identify each rule and the addresses it affects. I also decided to turn both logging and the rule hit counter options to make troubleshooting that much easier. After all, if you're using a bogon IP network in you're DMZ, blocking all the bogon's could cause you just a little bit of problems.
The rules themselves are simple: Block any traffic with a source IP in the bogons list. Using the 5.0.0.0 network as an example, select the exterior interface as the source and the internal interface. Change the source address from 'Any source IP address' to 'IP address/netmask'. Enter the network IP and mask in the appropriate boxes, leave the destination address as 'any' and the protocol as 'any'. Pay attention to the subnet masks for the bogons, many of them are not standard /8 or /16 subnets. You could
change the destination address to that of your network, but it would have the same affect overall anyways. Finally, set the action to deny, hit the 'ok' button to save the rule and continue on to the next rule. When you have all 30 incoming rules, hit the 'ok' button a second time to commit the rules.
Creating the egress is the same, except the interfaces will be reversed with the incoming interface being your internal interface. Other than something on your internal network, such as the previously mentioned DMZ, there's no reason our network should ever be sending traffic to a bogon network. Having the egress filters turned on with the rule hit counter enabled could notify you of malicious traffic on your network. Or maybe an end user who took their laptop home and reconfigured it for his or her network and is now sending out spurious traffic. It also helps you be a good netizen.
I've included a screen shot of a finished firewal rule as well as a copy of the IPtables rules that Cobia creates to implement these rules in the extended body. Each Cobia rule creates 3 IPtables rules: the blocking rule, the logging rule and the hit counter rule. The logging and counter rules are almost the same, except for the fact that they write to different log files. The IPtables rules below are created automatically by Cobia, I included them to illustrate how easy Cobia makes it to create these rules.
Please leave me a comment or send me an email if you found this useful. If you've got a project you'd like to see me walk through with Cobia, let me know. I'll be regularly posting how-to's such as this and could use some ideas .
Recent Comments