Enable bogon filtering

4 files changed, 120 insertions, 2 deletions

diff --git a/etc/bogons b/etc/bogons
new file mode 100644
index 0000000..321d334
--- /dev/null
+++ b/etc/bogons
@@ -0,0 +1,89 @@
+# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
+# Copyright Team Cymru <team-cymru@cymru.com>
+#
+# Last updated: 2/25/2005 - Bill Marquette
+#
+0.0.0.0/8
+1.0.0.0/8
+2.0.0.0/8
+5.0.0.0/8
+7.0.0.0/8
+10.0.0.0/8
+23.0.0.0/8
+27.0.0.0/8
+31.0.0.0/8
+36.0.0.0/8
+37.0.0.0/8
+39.0.0.0/8
+41.0.0.0/8
+42.0.0.0/8
+49.0.0.0/8
+50.0.0.0/8
+73.0.0.0/8
+74.0.0.0/8
+75.0.0.0/8
+76.0.0.0/8
+77.0.0.0/8
+78.0.0.0/8
+79.0.0.0/8
+89.0.0.0/8
+90.0.0.0/8
+91.0.0.0/8
+92.0.0.0/8
+93.0.0.0/8
+94.0.0.0/8
+95.0.0.0/8
+96.0.0.0/8
+97.0.0.0/8
+98.0.0.0/8
+99.0.0.0/8
+100.0.0.0/8
+101.0.0.0/8
+102.0.0.0/8
+103.0.0.0/8
+104.0.0.0/8
+105.0.0.0/8
+106.0.0.0/8
+107.0.0.0/8
+108.0.0.0/8
+109.0.0.0/8
+110.0.0.0/8
+111.0.0.0/8
+112.0.0.0/8
+113.0.0.0/8
+114.0.0.0/8
+115.0.0.0/8
+116.0.0.0/8
+117.0.0.0/8
+118.0.0.0/8
+119.0.0.0/8
+120.0.0.0/8
+121.0.0.0/8
+122.0.0.0/8
+123.0.0.0/8
+127.0.0.0/8
+169.254.0.0/16
+172.16.0.0/12
+173.0.0.0/8
+174.0.0.0/8
+175.0.0.0/8
+176.0.0.0/8
+177.0.0.0/8
+178.0.0.0/8
+179.0.0.0/8
+180.0.0.0/8
+181.0.0.0/8
+182.0.0.0/8
+183.0.0.0/8
+184.0.0.0/8
+185.0.0.0/8
+186.0.0.0/8
+187.0.0.0/8
+189.0.0.0/8
+190.0.0.0/8
+192.0.2.0/24
+192.168.0.0/16
+197.0.0.0/8
+198.18.0.0/15
+223.0.0.0/8
+224.0.0.0/3
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 3395a94..82feef3 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -1109,9 +1109,20 @@ EOD;
 
 	}
 
-	$ipfrules .= <<<EOD
+	/* block bogon networks on WAN */
+	/* http://www.cymru.com/Documents/bogon-bn-nonagg.txt */
+	/* XXX - pull from www.cymru.com at some point so we don't have to manually update */
+	if (isset($config['interfaces']['wan']['blockbogons'])) {
+		$ipfrules .= <<<EOD
 
+# block bogon networks
+# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
+table <bogons> persist file "/etc/bogons"
+block in $log quick on $wanif from <bogons> to any label "block bogon networks from wan"
 
+EOD;
+
+	$ipfrules .= <<<EOD
 
 # let out anything from the firewall host itself and decrypted IPsec traffic
 pass out quick on $wanif all keep state label "let out anything from firewall host itself"
@@ -1606,4 +1617,4 @@ function create_firewall_outgoing_rules_to_itself() {
 	return $rule;
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php
index 1e8c21f..a4fa794 100755
--- a/usr/local/www/interfaces.php
+++ b/usr/local/www/interfaces.php
@@ -73,6 +73,7 @@ if ($wancfg['ipaddr'] == "dhcp") {
 }
 
 $pconfig['blockpriv'] = isset($wancfg['blockpriv']);
+$pconfig['blockbogons'] = isset($wancfg['blockbogons']);
 $pconfig['spoofmac'] = $wancfg['spoofmac'];
 $pconfig['mtu'] = $wancfg['mtu'];
 
@@ -233,6 +234,7 @@ if ($_POST) {
 		$wancfg['bandwidthtype'] = $_POST['bandwidthtype'];
 
 		$wancfg['blockpriv'] = $_POST['blockpriv'] ? true : false;
+		$wancfg['blockbogons'] = $_POST['blockbogons'] ? true : false;
 		$wancfg['spoofmac'] = $_POST['spoofmac'];
 		$wancfg['mtu'] = $_POST['mtu'];
 
@@ -667,6 +669,13 @@ function type_change(enable_change,enable_change_pptp) {
                     lies in such a private address space, too.</td>
                 </tr>
                 <tr>
+                  <td valign="middle">&nbsp;</td>
+                  <td class="vtable"> <input name="blockbogons" type="checkbox" id="blockbogons" value="yes" <?php if ($pconfig['blockbogons']) echo "checked"; ?>>
+                    <strong>Block bogon networks</strong><br>
+                    When set, this option blocks traffic from IP addresses that
+                    are reserved (but not RFC 1918) or not yet assigned by IANA.<br>
+                    Bogons are prefixes that should never appear in the Internet routing table, and obviously should not appear as the source address in any packets you receive.</td>
+                <tr>
                   <td width="100" valign="top">&nbsp;</td>
                   <td> &nbsp;<br> <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change_pptp(true)&&enable_change(true)">
                   </td>
diff --git a/usr/local/www/interfaces_wan.php b/usr/local/www/interfaces_wan.php
index 1e8c21f..a4fa794 100755
--- a/usr/local/www/interfaces_wan.php
+++ b/usr/local/www/interfaces_wan.php
@@ -73,6 +73,7 @@ if ($wancfg['ipaddr'] == "dhcp") {
 }
 
 $pconfig['blockpriv'] = isset($wancfg['blockpriv']);
+$pconfig['blockbogons'] = isset($wancfg['blockbogons']);
 $pconfig['spoofmac'] = $wancfg['spoofmac'];
 $pconfig['mtu'] = $wancfg['mtu'];
 
@@ -233,6 +234,7 @@ if ($_POST) {
 		$wancfg['bandwidthtype'] = $_POST['bandwidthtype'];
 
 		$wancfg['blockpriv'] = $_POST['blockpriv'] ? true : false;
+		$wancfg['blockbogons'] = $_POST['blockbogons'] ? true : false;
 		$wancfg['spoofmac'] = $_POST['spoofmac'];
 		$wancfg['mtu'] = $_POST['mtu'];
 
@@ -667,6 +669,13 @@ function type_change(enable_change,enable_change_pptp) {
                     lies in such a private address space, too.</td>
                 </tr>
                 <tr>
+                  <td valign="middle">&nbsp;</td>
+                  <td class="vtable"> <input name="blockbogons" type="checkbox" id="blockbogons" value="yes" <?php if ($pconfig['blockbogons']) echo "checked"; ?>>
+                    <strong>Block bogon networks</strong><br>
+                    When set, this option blocks traffic from IP addresses that
+                    are reserved (but not RFC 1918) or not yet assigned by IANA.<br>
+                    Bogons are prefixes that should never appear in the Internet routing table, and obviously should not appear as the source address in any packets you receive.</td>
+                <tr>
                   <td width="100" valign="top">&nbsp;</td>
                   <td> &nbsp;<br> <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change_pptp(true)&&enable_change(true)">
                   </td>