Blocking BOGON addresses

keysdkeysd
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

I recently discovered I can do a traceroute to say 192.168.100.101, and the traffic is allowed out the external interface via the Outgoing policy. The traffic made it a few hops and was dropped by my ISP. I was surprised that BOGON addresses aren't just dropped at the firebox. Is there any easy way to block BOGON address from passing the external interface.

I did some searching for Watchgaurd specific configuration on BOGON filtering but didn't find any discussions or notes in the Watchguard documentation. I did see configuration for other firewall vendors to achieve this.

I thought about using blocked sites and block site exception to achieve this. I first added network addresses for all of my internal networks to Blocked Site Exceptions. When I went to add 10.0.0.0/8 to blocked sites, I received an error message that I would have to create exceptions for each internal firebox interface within that range. That's going to be a lot of work for multiple sites with multiple VLANs per site. I was surprised that my blocked site exception of 10.X.0.0/16 wouldn't have already covered the firebox's internal interfaces.

Maybe all this doesn't matter and I'm being paranoid. For anyone interested, here is the reddit thread that got me thinking about this.

https://reddit.com/r/sysadmin/comments/1r87rcr/what_is_everyones_traceroute_for_192168200101/

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @keysd

    We don't block these addresses by default as many of our customers will use external devices to route across MPLS or other leased line type networks out the external. The default NAT rules on the firewall will not NAT traffic destined to an RFC1918 address. Most ISPs will drop RFC1918-addressed traffic if it hits their network.

    The easiest way to deny this traffic is to make a rule to do so.

    -Create a new policy, I'd suggest using the "Any" packet filter, which will match any port or protocol.

    -In the From field, remove whatever is there by default, and add Network IPv4 addresses
    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16

    -In the To field, remove whatever is there by default, and put Any-External.

    -Be sure to set the policy to Deny (it will be Allowed by default.)

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    If you need to allow a specific subnet in that range out, it's easiest to make another rule directly above your deny rule to allow that traffic. (This also allows you to log it, and other people will know what it's for this way.)

    You can also supernet your initial rule around that subnet.

    -James Carson
    WatchGuard Customer Support

  • keysdkeysd

    Thanks for the reply James.

    Can I assume "Drop Spoofing Attacks" in default packet handling will take care of any BOGON inbound on the external interface?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @keysd
    The drop spoofing attacks function drops traffic that arrives on an interface that the Firebox did not expect.

    For example, if your trusted interface (eth1) is 10.0.1.0/24 and the firewall sees traffic from 10.0.1.200 arrive on the external interface (eth0) it will be dropped because traffic from that address range should originate from eth1.

    Most unsolicited traffic coming in on an external interface will be dropped as "Unhandled External Traffic" because the firewall doesn't have a rule to handle it.

    -James Carson
    WatchGuard Customer Support

  • Bruce_BriggsBruce_Briggs

    Most of the RFC1918 address packets received at my firewall were SMB packets.
    I added a SMB packet filter, set to Denied From: Any-external To: Firebox
    with the "Send log message" unselected.

    Now I don't see those unhandled packets anymore in my logs.

  • keysdkeysd

    @james.carson

    Thanks for the explanation on how WG handles spoofing.

    I can understand why Watchguard doesn't drop RFC1918 addresses over the external interface by default Thanks for that explanation. I'm still unclear how I can stop packets originating from trusted clients destined for RFC1918 addresses from going over the external interface.

    The deny rule you suggested isn't going to stop packets destined for RFC1918 addresses from going over the external interfaces if the client is allowed to use the external interface in a rule directly above the deny rule.

    They way I understand it, your two rules do the following
    1.) Block all RFC1918 addressed clients from using the external interface by default
    2.) Allow clients of specific RFC1918 subnets to use the external interface.

    I suppose this doesn't matter if the ISP is dropping RFC1918 traffic? Maybe it would matter if the ISP failed to drop 1918 traffic? There is pretty good debate in the original Reddit thread I linked. I'm just trying to do the best I can. Thanks for you time and help.

  • Bruce_BriggsBruce_Briggs

    Clearly if all ISPs dropped these packets, the only way that your firewall should see them is if it is connected to a shared feed, such as from a cable provider, which I have.

    One possible policy order:
    Set up the allow as policy 1 in manual order mode.
    Set up the deny as policy 2

Sign In to comment.