From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: Re: ASN support for iptables Date: Sun, 19 Nov 2017 15:58:44 +0000 Message-ID: <1511107124.4838.519.camel@ipfire.org> In-Reply-To: <20171119155214.17e06a7c.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5507667217986506946==" List-Id: <development.lists.ipfire.org> --===============5507667217986506946== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Sun, 2017-11-19 at 15:52 +0100, Peter M=C3=BCller wrote: > Hello development list, >=20 > today, I'd like to discuss whether a new feature in > the firewall engine of IPFire makes sense or not. >=20 > Since Core Update 90, IPFire supports GeoIP based firewall > rules, which goes beyond simple IP addresses or CIDR blocks > and makes firewalling easier. >=20 > The idea I had in mind is to add ASN (Autonomous System > Number) support for firewall rules, too. >=20 > An AS (Autonomous System) can be described as an administrative > instance on top of IP: For example, several IP blocks belong > to an AS, i.e. to the same company, university or whatever. > Although these blocks may be used for completely different purposes > in completely different countries, they share the same owner. >=20 > Every AS has a number (ASN) and a description (sometimes > abbreviated to ASDescr), while the number is unique. I think this makes sense and I would welcome that as a new feature in IPFire.= It will in the end have some similar problems like the GeoIP blocker, but that is not too bad. > There are some scenarios in which AS based firewall rules > make sense, since AS information change less seldom than > IP ranges: >=20 > (a) One wants to block malicious traffic, but blocking entire > countries is too much since there are some legitimate partners, > customers, ... out there. With AS support, it is possible to > grant them access by simply permitting their AS. The rest of > the country may now safely be blocked. True. This might work well in some situations, but is probably quite useless when fighting against a botnet. What would also be good is to open a port forwarding only from a certain AS. Let's call that whitelisting. > (b) In some cases, IP ranges change very often, making firewall > rules very complex and hard to maintain, or the exact IP address > of a machine cannot be determined (dial-up connections). In > both cases, the AS (mostly) stays the same and allows firewall > rules without permitting access to a whole country. That will be the biggest challenge here. The database will need to be complete and needs regular updates. We don't really care if someone is actually announcing their prefix, but if they have one assigned, we should block/permit access. > (c) Rogue ISPs (networks which are controlled/operated by professional > spammers or worse, such as the "Russian Business Network" (RBN), > which died in end-2007) sometimes run networks located in "good" > countries such as US or NL. Blocking them by GeoIP is not an > option because of many false-positives. AS based rules may help > here. The US is practically unblockable on the GeoIP filter, because too much is hosted in the US (at least according to the database by businesses that have their HQ there). So this would be a good extension to blocking more granular. > Since the data behind this can be extracted from BGP feeds, > no external databases (such as MaxMind) are required. If we would use a BGP feed, we will only have the networks in the database th= at are currently announced. Wouldn't scraping the WHOIS database be better? Why not MaxMind? Not that I am in favour of that, but I am interested why it = is not an option. > Unfortunately, my programming skills are too low for implementing > this feature. Thereof, if it is decided to do this, I will need > some help here. :-) *raises hand* > Technically, this is similar to the GeoIP firewall stuff (just > another database), so I assume most of the work done there can > just be copied. The GeoIP block uses an iptables extension which parses the database. We wouldn't use that here but would either build something with ipset or similar. > Any thoughts on this idea? >=20 > Best regards, > Peter M=C3=BCller -Michael --===============5507667217986506946== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxvUnFqUUFDZ2tRZ0hudy8yK1EKQ1FjaDNSQUF0cjc1WXVhajIy N05aak1qekE5Wmg5c2V1UDk3R09CbERITGg5eWxUODUvY1haQ0orY0xWb0dRNgpiOURCWVVYM1Fn NnJWRXB0T3h6dTVoaEhCYTNNQmtOQktlY28rbzhoZnRJMkFsYTZlRjJjdHRzZy9xVC9PZVl1CmJa UmJOdWVaaWw5dHJwMnR4N0wySTJYb0QzZ3pZWTlqZ2NUWUdIZGNBMlpyQ1ZhZlg1R09VMUZpR2Ir VHdFK3EKc3dscUdKRytMVjZwSGtuWHlteFZpTHdQY2x4cWJDMjVFZHY3RWsrQzZ0VHh5ZlV6d2wr djlRY2FjYXVsMW1lLwpZRmtiZ3dhSEdLT1p3QytFSnRJZC9nUmhleXM0N29xMDNJaFE4YUVSM0lH RlMzeFc5NDl4eXprM3BzSmNLQUNiCkRDcGdHRTRQbTNCaFZsYTRualJzelNaQ1VaR0FmYTBCYXA0 OW4xbjh6cHVvVmpBbWtVaWZqS0toOFc0Rnl4YysKZXNxc0tnYktiZ3pzMWQ0aldIbW9Fd28rNXpK ck9CZG1uWFpjQWs3dHRmbXY5dWdpSWMwL2tPZ2wwR2xzcCtqRQpINEZ5aEFzZkp3aW4vbjQ0eXJs RUFPVkgwKzlDVU1pWUVLNm5Fb0RHYVBJMTlCcVMzS3FZbG5OWUY5aHBNaUVMCkgxRnhqdWdWTGlP UnBlYlFIaFhGdmM0L2g0NTlZaDAzT1ZUdndzalZuVmxlcXh3V3ZkRGxjQnQ3a1VhSEhJOWkKenVZ UUN0K0EycmRGL1lzd2hObUkxc2lCSGhtblZxMnQ4OWk2M1VhTTJaMXoxZ0c5VUVUdGVuNmVhMHp3 Q05RZgpsTGJvdTBVaTF4dWVvNXpZd2Rqa240cE5zWmYzNlBjWXFnQXJSL05Vc2VrM3dxSkFjNzA9 Cj1TQmF4Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============5507667217986506946==--