Commit 65e565b0 authored by Franco Fichtner's avatar Franco Fichtner

firewall: regressing in bogon blocking, we're blocking too many now..

PR: https://forum.opnsense.org/index.php?topic=3105.0
(cherry picked from commit 9def0e38)
parent 53ad35eb
0.0.0.0/8 0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8 127.0.0.0/8
169.254.0.0/16 169.254.0.0/16
172.16.0.0/12
192.0.0.0/24 192.0.0.0/24
192.0.2.0/24 192.0.2.0/24
192.168.0.0/16
198.18.0.0/15 198.18.0.0/15
198.51.100.0/24 198.51.100.0/24
203.0.113.0/24 203.0.113.0/24
......
...@@ -2938,7 +2938,14 @@ EOD; ...@@ -2938,7 +2938,14 @@ EOD;
} }
foreach ($FilterIflist as $on => $oc) { foreach ($FilterIflist as $on => $oc) {
/* block bogon networks via http://www.cymru.com/Documents/bogon-bn-nonagg.txt */ /*
* Block bogon networks via the following list. Note that "bogons"
* are excluding the four private address ranges for one reason or
* another. They exist in the upstream files but are stripped during
* the upgrade stage.
*
* http://www.cymru.com/Documents/bogon-bn-nonagg.txt
*/
if (!isset($config['syslog']['nologbogons'])) { if (!isset($config['syslog']['nologbogons'])) {
$bogonlog = 'log'; $bogonlog = 'log';
} else { } else {
......
...@@ -89,7 +89,10 @@ if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DIS ...@@ -89,7 +89,10 @@ if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DIS
ENTRIES_V4=`pfctl -vvsTables | awk '/-\tbogons$/ {getline; print $2}'` ENTRIES_V4=`pfctl -vvsTables | awk '/-\tbogons$/ {getline; print $2}'`
LINES_V4=`wc -l /tmp/bogons | awk '{ print $1 }'` LINES_V4=`wc -l /tmp/bogons | awk '{ print $1 }'`
if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V4:-0}+LINES_V4)) ]; then if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V4:-0}+LINES_V4)) ]; then
egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /usr/local/etc/bogons # These bogons are removed as they are private. I'm not going
# to question this now, adding a big WARNING instead. Here be
# dragons...
egrep -v "^100.64.0.0/10|^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /usr/local/etc/bogons
RESULT=`/sbin/pfctl -t bogons -T replace -f /usr/local/etc/bogons 2>&1` RESULT=`/sbin/pfctl -t bogons -T replace -f /usr/local/etc/bogons 2>&1`
echo "$RESULT" | awk '{ print "Bogons V4 file downloaded: " $0 }' | logger echo "$RESULT" | awk '{ print "Bogons V4 file downloaded: " $0 }' | logger
else else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment