Re: Hiding NATs with PF

From: jpd (read_the_sig_at_do.not.spam.it.invalid)
Date: 09/30/05 

Date: 30 Sep 2005 01:01:38 GMT

Begin <dhhkgq$7d4$1@linux.z74.net>
On 2005-09-29, Maurice Janssen <mauricej@xs4all.nl> wrote:
> jpd wrote:
>>A good place to filter for RFC1918 (and LINK-LOCAL: 169.254.0.0/16,
>>and localhost, and so on) addresses is *incoming* on the external
>>interface, both source and destination.
[snipping too much context good, too much context snipping not so good]
> I use the list from http://www.cymru.com/Bogons/ and I guess there are a
> few other places that offer the same information.
> If the OP wants to use it as well, please subscribe to the mailing list
> or update regularly. This information tends to change now and then...

This is a nice idea[0] but as you say, and as stated there and noted
elsewhere, but repeated here for it deserves stressing:

Doing this *requires regular maintenance*, so doing it means you take
the responsibility for keeping up with it on you, lest you might break
someones fresh and new ip addresses for no good reason. Not good.

Which is why I'd not recommend it for the casual user, but for large
site admins that can commit to updating (and have a much bigger impact
anyway) it certainly is an option. IE it'd be something for the router
admins of OPs campus' border routers to consider.

See also

  http://www.ris.ripe.net/debogon/
  http://www.ripe.net/ripe/draft-documents/deboganising-draft.html

[0] I have my own scripts for doing that, directly feeding off of the IANA
    reserved list[1].
[1] You could also use, say, the SPEWS level 1 list, if you wish, altough
    the raw list really improves with aggregating. Caveat emptor, though. 

-- 
  j p d (at) d s b (dot) t u d e l f t (dot) n l .