[Cerowrt-devel] bcp38 via ipset

[Cerowrt-devel] bcp38 via ipset

[Dave Taht]

#!/bin/sh


                     # I am allergic to writing tons and tons of
iptables rules. Perhaps
# using ipsets instead would be more efficient?
# a (borken) start at trying it below:

ipset destroy egress-ipv4
                                     ipset destroy egress-ipv6
ipset create bcp38-ipv4 hash:net family inet timeout 0 hashsize 32
ipset add bcp38-ipv4 127.0.0.0/8
ipset add bcp38-ipv4 192.168.0.0/16
                              ipset add bcp38-ipv4 10.0.0.0/8
                                                               ipset
add bcp38-ipv4 172.16.0.0/12
                        ipset add bcp38-ipv4 169.254.0.0/16
                                                       # But what
should bcp38 look like for ipv6?
ipset create bcp38-ipv6 hash:net family inet6 timeout 0 hashsize 32
ipset add bcp38-ipv6 2001:DB8::/32 # example ipv6 addr kill
                   ipset add bcp38-ipv6 fc00::/7  # reject ula
                                                  ipset add bcp38-ipv6
ff00::/8  # reject multicast
        ipset add bcp38-ipv6 fec0::/10 # reject site-local
                                     ipset add bcp38-ipv6 ::ffff/96 #
reject v6mapped

                                             ipset create egress-ipv4
hash:net family inet timeout 0 hashsize 32                      ipset
add egress-ipv4 127.0.0.0/8
                           ipset add egress-ipv4 192.168.0.0/16
                                                          ipset add
egress-ipv4 10.0.0.0/8
                        ipset add egress-ipv4 172.16.0.0/12
                                                       ipset add
egress-ipv4 169.254.0.0/16

# you could then dynamically add your external ip even
# in a double nat situation in a dhcpd callback
# Prohibit multicast except for a few well known services?
ipset create egress-ipv6 hash:net family inet6 timeout 0 hashsize 32
ipset add egress-ipv6 fc00::/7
ipset add egress-ipv6 ff00::/8
ipset add egress-ipv6 2001:DB8::/32 # Block IPv6 example address
ipset add egress-ipv6 fec0::/10 # reject site-local
ipset add egress-ipv6 ::ffff/96 # reject v6mapped

# FIXME punch hole for network discovery?
# FIXME punch a hole for dhcpv6
# punch a hole for babel
# And for all that above this attempt at rules don't work
# output? some other chain?

iptables -A forwarding_wan_rule -m set --match-set egress-ipv4 dst -j
REJECT --reject-with icmp-host-unreachable
ip6tables -A forwarding_wan_rule -m set --match-set egress-ipv6 dst -j
REJECT --reject-with addr-unreach


-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

Re: [Cerowrt-devel] bcp38 via ipset

[Dave Taht]

[-- Attachment #1: Type: text/plain, Size: 354 bytes --]

One of the things  to fix on the spam filter front on this box is it
killing numeric urls so I figure david and I's conversation has been
dropped on the floor.

I put up the things described so far into a tiny script located at.

https://github.com/dtaht/bcp38

It needs to hook into /etc/config/firewall somehow in the long run outside
of firewall.user

[-- Attachment #2: Type: text/html, Size: 460 bytes --]

Re: [Cerowrt-devel] bcp38 via ipset

[David Personette]

[-- Attachment #1: Type: text/plain, Size: 532 bytes --]

FYI, 224/4 is mcast, 240/4 is "future use" (when future === never ;^).

--
David P.


On Thu, Jan 16, 2014 at 9:50 AM, Dave Taht <dave.taht@gmail.com> wrote:

> One of the things  to fix on the spam filter front on this box is it
> killing numeric urls so I figure david and I's conversation has been
> dropped on the floor.
>
> I put up the things described so far into a tiny script located at.
>
> https://github.com/dtaht/bcp38
>
> It needs to hook into /etc/config/firewall somehow in the long run outside
> of firewall.user
>

[-- Attachment #2: Type: text/html, Size: 985 bytes --]