Generate bogons firewall chain based on routing-marks
Written by vaheeD on January 2, 2013
Cymru.com publishes a BGP feed that is a current list of bogons. Here is a script that takes a BGP feed that has been imported into a routing table and turns it into an address-list:
Code: ## Builds an address list with bogons based on the ## learned bgp routes which have the specific routing-mark. :log info "Removing all BOGONS, starting sync." :foreach subnet in [/ip firewall address-list find list=bogons] do { /ip firewall address-list remove $subnet } :foreach subnet in [/ip route find routing-mark=bogons] do { :set bogon [/ip route get $subnet dst-address] :log info ("Found " . $bogon . " as bogon entry.") /ip firewall address-list add list=bogons address=$bogon }
Now you can use this type of chain to catch traffic coming from bogon ip addresses. Reference / jump to this chain from wherever you have traffic coming from untrusted networks. You’ll notice that the first few entries are bypasses for specific bogons that are allowed.
add chain=BOGONS src-address=10.8.24.1 protocol=icmp action=return \ comment="Bypass for cable modem internal IP \(Traceroutes requires \ this\)" disabled=no add chain=BOGONS src-address=192.168.100.0/24 action=return \ comment="CABLE INTERNAL IP - Bypass also" disabled=no add chain=BOGONS limit=2,5 src-address-list=bogons action=log \ log-prefix="BOGONS" comment="Reference the BOGONS address-list and \ LOG any that are on that list." disabled=no add chain=BOGONS src-address-list=bogons action=drop \ comment="Reference the BOGONS address-list and DROP any that are \ on that list." disabled=no add chain=BOGONS action=return comment="If not, return them to the \ previous chain." disabled=no
Here is the current (12/05) chain if you just want to copy and paste it into your ruleset.
/ ip firewall address-list add list=bogons address=1.0.0.0/8 comment="" disabled=no add list=bogons address=2.0.0.0/8 comment="" disabled=no add list=bogons address=5.0.0.0/8 comment="" disabled=no add list=bogons address=7.0.0.0/8 comment="" disabled=no add list=bogons address=10.0.0.0/8 comment="" disabled=no add list=bogons address=23.0.0.0/8 comment="" disabled=no add list=bogons address=27.0.0.0/8 comment="" disabled=no add list=bogons address=31.0.0.0/8 comment="" disabled=no add list=bogons address=36.0.0.0/8 comment="" disabled=no add list=bogons address=37.0.0.0/8 comment="" disabled=no add list=bogons address=39.0.0.0/8 comment="" disabled=no add list=bogons address=42.0.0.0/8 comment="" disabled=no add list=bogons address=49.0.0.0/8 comment="" disabled=no add list=bogons address=50.0.0.0/8 comment="" disabled=no add list=bogons address=77.0.0.0/8 comment="" disabled=no add list=bogons address=78.0.0.0/8 comment="" disabled=no add list=bogons address=79.0.0.0/8 comment="" disabled=no add list=bogons address=92.0.0.0/8 comment="" disabled=no add list=bogons address=93.0.0.0/8 comment="" disabled=no add list=bogons address=94.0.0.0/8 comment="" disabled=no add list=bogons address=95.0.0.0/8 comment="" disabled=no add list=bogons address=96.0.0.0/8 comment="" disabled=no add list=bogons address=97.0.0.0/8 comment="" disabled=no add list=bogons address=98.0.0.0/8 comment="" disabled=no add list=bogons address=99.0.0.0/8 comment="" disabled=no add list=bogons address=100.0.0.0/8 comment="" disabled=no add list=bogons address=101.0.0.0/8 comment="" disabled=no add list=bogons address=102.0.0.0/8 comment="" disabled=no add list=bogons address=103.0.0.0/8 comment="" disabled=no add list=bogons address=104.0.0.0/8 comment="" disabled=no add list=bogons address=105.0.0.0/8 comment="" disabled=no add list=bogons address=106.0.0.0/8 comment="" disabled=no add list=bogons address=107.0.0.0/8 comment="" disabled=no add list=bogons address=108.0.0.0/8 comment="" disabled=no add list=bogons address=109.0.0.0/8 comment="" disabled=no add list=bogons address=110.0.0.0/8 comment="" disabled=no add list=bogons address=111.0.0.0/8 comment="" disabled=no add list=bogons address=112.0.0.0/8 comment="" disabled=no add list=bogons address=113.0.0.0/8 comment="" disabled=no add list=bogons address=114.0.0.0/8 comment="" disabled=no add list=bogons address=115.0.0.0/8 comment="" disabled=no add list=bogons address=116.0.0.0/8 comment="" disabled=no add list=bogons address=117.0.0.0/8 comment="" disabled=no add list=bogons address=118.0.0.0/8 comment="" disabled=no add list=bogons address=119.0.0.0/8 comment="" disabled=no add list=bogons address=120.0.0.0/8 comment="" disabled=no add list=bogons address=121.0.0.0/8 comment="" disabled=no add list=bogons address=122.0.0.0/8 comment="" disabled=no add list=bogons address=123.0.0.0/8 comment="" disabled=no add list=bogons address=169.254.0.0/16 comment="" disabled=no add list=bogons address=172.16.0.0/12 comment="" disabled=no add list=bogons address=173.0.0.0/8 comment="" disabled=no add list=bogons address=174.0.0.0/8 comment="" disabled=no add list=bogons address=175.0.0.0/8 comment="" disabled=no add list=bogons address=176.0.0.0/8 comment="" disabled=no add list=bogons address=177.0.0.0/8 comment="" disabled=no add list=bogons address=178.0.0.0/8 comment="" disabled=no add list=bogons address=179.0.0.0/8 comment="" disabled=no add list=bogons address=180.0.0.0/8 comment="" disabled=no add list=bogons address=181.0.0.0/8 comment="" disabled=no add list=bogons address=182.0.0.0/8 comment="" disabled=no add list=bogons address=183.0.0.0/8 comment="" disabled=no add list=bogons address=184.0.0.0/8 comment="" disabled=no add list=bogons address=185.0.0.0/8 comment="" disabled=no add list=bogons address=186.0.0.0/8 comment="" disabled=no add list=bogons address=187.0.0.0/8 comment="" disabled=no add list=bogons address=192.0.2.0/24 comment="" disabled=no add list=bogons address=192.168.0.0/16 comment="" disabled=no add list=bogons address=197.0.0.0/8 comment="" disabled=no add list=bogons address=198.18.0.0/15 comment="" disabled=no add list=bogons address=223.0.0.0/8 comment="" disabled=no
It’s best to use the current BGP list because its automated and kept up to date automatically. Be very careful with bogons and always make sure to keep them updated.
Cymru provides a BGP feed that we then apply a bgp filter to with a routing-mark, and then based on that list we generate the address-list… runs nightly to keep them up to date automatically.