Project

General

Profile

Actions

Bug #4379

closed

Remove CGN (RFC6598) address space from "private networks"

Added by Kill Bill about 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
02/05/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

No need to filter this in both places, this is really the same thing like RFC1918 ranges.

Forum thread: https://forum.pfsense.org/index.php?topic=88215.0

Actions #1

Updated by Chris Buechler about 9 years ago

  • Subject changed from Remove CGN (RFC6598) address space from bogons to Remove CGN (RFC6598) address space from "private networks"
  • Status changed from New to Resolved
  • Target version set to 2.2.1

since block private specifically says RFC 1918, it's more valid as bogon than private, I removed it from private.

Actions #2

Updated by Kill Bill about 9 years ago

I'm not using either of these, so I pretty much don't care either way, but... fixing the description and nuking this from bogons leaves people with usable bogon rules that are blocking loads of other stuff. When you leave CGN in bogons, people on CGN just cannot use those at all since you cannot override it in any reasonable way (still no way to move those rules). Hmmm.

Actions #3

Updated by Chris Buechler about 9 years ago

Bogons and block private only applies to traffic sourced on the WAN in question. Where you're on CGN, you pretty much never want to allow traffic sourced from CGN subnets in. There is never any need to disable that for outbound traffic regardless of whether your WAN is CGN or private or bogon.

there is a feature request open to allow moving the rules, which could be handy in some limited circumstances (mostly to block matching traffic with no logging without completely disabling the rule).

Actions #4

Updated by Kill Bill about 9 years ago

Yes, of course. I think we don't understand each other. I can trivially create a RFC1918 alias and place that rule whereever I want (it's 3 CIDRs, or 4 including the CGN address space). Not exactly the case with bogons{,v6}. So, this CGN address space is effectively burried among loads of completely unrelated IP ranges. As long as you leave it there, you render the entire bogons list unusable for anyone behind CGN. Not talking about outbound traffic at all.

Actions #5

Updated by Chris Buechler about 9 years ago

it's only unusable where you need to allow traffic into WAN that's sourced from CGN space. Which in nearly all cases is nothing. I think you're misunderstanding what block bogons does, it most certainly doesn't "render the entire bogons list unusable for anyone behind CGN."

Actions

Also available in: Atom PDF