The IP Address Blocklists feature allows the selection of BOGON or BOGON_FULL block lists. However, the iptables for BLOCKLISTIN/BLOCKLISTOUT do a RETURN on the bogon IP Address ranges before actually getting to the BOGON_DROP or BOGON_FULL_DROP table processing. To my simple caveman brain, this means that selecting BOGON or BOGON_FULL in IP Address Blocklists settings would never actually detect any potential bogons. Am I missing something here?
My caveman brain doesn’t understand what’s going on behind the scenes either, but it does appear to be working:
1 Like
Hi Charles,
Here’s a bit more clarity on IPFire’s bogon filtering and why both the kernel’s martian filter and IPFire’s IP blocklist play complementary roles.
1. Kernel Martian Filter
The kernel’s martian filter can help detect and drop packets from known invalid (bogon) IPs at an early stage, but it’s generally static and isn’t frequently updated. It catches many obvious bogons, but newer or emerging bogon ranges might go unnoticed.
2. IPFire’s IP Blocklist (BOGON and BOGON_FULL)
The BOGON and BOGON_FULL blocklists in IPFire offer an additional layer, drawing from sources from Team Cymru, which are regularly updated. This ensures that IPFire catches recently identified bogons or invalid IPs that the static kernel filter might miss.
Why Both?
- Kernel Filter: A background layer that can catch static bogons.
- IPFire Blocklist: Updated frequently, covering emerging bogons and threats.
Hope this clears things up!
Thanks,
A G
3 Likes
Thank you @bloater99 & @ag for the reply. I had BOGON_FULL enabled and was never seeing any hits – while occasionally getting DROP_FORWARD fw logs for traffic going to 10.xx.xx.xx destination. Thanks for clearing this up – makes sense to me now.
1 Like
IPFire has its own built in Bogon rules (has had for a long time).
It drops anything coming in on red that is from a private address range. So those bogons will never be triggered by the IP Blocklist Bogon lists.
However the entries from @bloater99 presumably have a source that is coming in from external public IPs and are getting dropped as they have a destination of 169.254.114.146 that is from the Automatic Private IP Addressing (APIPA) range. As this is not part of the green0 subnet the packets are dropped as having their destination spoofed.
An IP being assigned from this APIPA range can often be related to Windows machines as if they failed to get assigned an IP by dhcp they will fall back to using an IP from this APIPA range.
However in that case it will be flagged as a bogon as the destination is being shown as being on the green network but with an IP that is not part of the green0 subnet.
The above is my interpretation of what is occurring but I may not be 100% correct on the second part but I am sure of the first part with IPFire’s built in Bogon or Martian drop rules.
4 Likes
The BOGON list is just a short list of 13 entries and those will not change. 5 of those entries are covered by the IPFire rules.
That BOGON list was last updated on 19th Feb 2015 but it is a list that is unlikely to ever change unless IANA create a new private IP range.
The BOGON_FULL list contains 2712 entries. So it is much more than just private ranges. I am not really sure what makes some of those IP ranges considered to be Bogons. Maybe they are IP ranges from which a lot of spoofing comes from and so they are listed.
That list is updated more often. Last update was 29 Oct 2024 at 12:55.
Interestingly, you can no longer find those lists mentioned to download on the Cymru website. In the Community section you have to now sign-up for the lists to be provided with the url for them and you have to define which list you want to sign up for. So that is a change from the past.
Hopefully they are not building up to change to a purchase or subscription model approach.
EDIT:-
I have now found the lists on the web site and they note that those lists will be available Free, Forever. So no problem with changing to charging model.
I have also found what the BOGON_FULL covers. It is not just bogons or martians.
The traditional bogon prefixes, plus prefixes that have been allocated to RIRs but not yet assigned by those RIRs to ISPs, end-users, etc.
It is updated every 4 hours.
4 Likes