[76308] in North American Network Operators' Group
Re: Bogon filtering (don't ban me)
daemon@ATHENA.MIT.EDU (Joe Abley)
Sun Dec 5 15:57:00 2004
In-Reply-To: <Pine.LNX.4.44.0412051028250.23330-100000@sokol.elan.net>
Cc: NANOG Off-topic Gripes <nanog@merit.edu>
From: Joe Abley <jabley@isc.org>
Date: Sun, 5 Dec 2004 15:55:56 -0500
To: "william(at)elan.net" <william@elan.net>
Errors-To: owner-nanog-outgoing@merit.edu
On 5 Dec 2004, at 13:31, william(at)elan.net wrote:
> On Sun, 5 Dec 2004, william(at)elan.net wrote:
>
>> On Sun, 5 Dec 2004, Joe Abley wrote:
>>
>>> With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to
>>> BGP updates received from individual peers which updates a pf radix
>>> table with the network received:
>>
>> PF and bgpd with local filter table is good when you're expecting
>> those
>> filtered ip routes to change often. But this is not true about bogons
>
> Ok, I guess I did not read original post closely enough. PF is for
> reinjecting routes that match local rules back into bgp, right?
No -- pf is a packet filter, and in this case the rules for what
filters to packet are being driven by BGP updates instead of static
config. Nothing is being re-introduced from pf into BGP.
It's very true that the routes received from the bogon servers don't
change very often. However, I still very much like the idea of
outsourcing the job of keeping my firewalls' bogon filters up-to-date
to team cymru, rather than having to worry about doing it myself.
> For looking at active routes and seeing which ones match the rules I
> personally use "hacked" bird daemon, but it is not ready for public
> testing...
I'm sure there are many ways to skin this particular house pet.
OpenBSD 3.6 let me do all this stuff out-of-the-box, without installing
a single other package. I find that I like that; not having to compile
and tweak stuff makes me happy. I guess I'm getting old.
Joe
