BGP38 egress filter on Ubuntu Server

Before I re-invent the wheel, has anyone come up with blackhole route specifications for netplan in Ubuntu servers? Such a capability would perform the egress blocking for an edge server.

The table of blackhole routes I would set up:
Address block Scope Description Software Current network (only valid as
                                     source address). Private network Used for local communications
                                     within a private network. Private network Shared address space[3] for
                                     communications between a service
                                     provider and its subscribers
                                     when using a carrier-grade NAT. Host Used for loopback addresses to
                                     the local host. Subnet Used for link-local addresses
                                     between two hosts on a single
                                     link when no IP address is
                                     otherwise specified, such as
                                     would have normally been
                                     retrieved from a DHCP server. Private network Used for local communications
                                     within a private network. Private network IETF Protocol Assignments. Documentation Assigned as TEST-NET-1,
                                     documentation and examples. Internet Reserved. Formerly used for
                                     IPv6 to IPv4 relay Private network Used for local communications
                                     within a private network. Private network Used for benchmark testing of
                                     inter-network communications
                                     between two separate subnets. Documentation Assigned as TEST-NET-2,
                                     documentation and examples. Documentation Assigned as TEST-NET-3,
                                     documentation and examples. Internet In use for IP multicast. Internet Reserved for future use. Subnet Reserved for the "limited
                                     broadcast" destination address.

Address block Usage Purpose
::/0 Routing Default route.
::/128 Software Unspecified address.
::1/128 Host Loopback address to local host.
::ffff:0:0/96 Software IPv4 mapped addresses.
::ffff:0:0:0/96 Software IPv4 translated addresses.
64:ff9b::/96 Global Internet IPv4/IPv6 translation.
100::/64 Routing Discard prefix.
2001::/32 Global Internet Teredo tunneling.
2001:20::/28 Software ORCHIDv2.
2001:db8::/32 Documentation Addresses used in documentation
                                     and example source code.
2002::/16 Global Internet The 6to4 addressing scheme
fc00::/7 Private network Unique local address.
fe80::/10 Link Link-local address.
ff00::/8 Global Internet Multicast address.

:thought_balloon: Could be considered implemented, too. Either as EBGP multi-hop feed
from Cymru or via (scheduled cron) HTTP(s) download and distributed
internally in your network via IBGP.

I have found that pfSense uses this feed to filter traffic if 'Block
bogon networks' is enabled on the WAN interface(s).

I.e. the pfSense bogons + bogonsv6 tables match the Cymru HTTP feed.

Hi Stephen,

I think you may be misunderstanding BCP 38. BCP 38 is about limiting
-source- addresses. What you've described is bogon filtering on
destination IP addresses. As far as I know, there's no BCP on bogon
filtering although BCP 84 offers some relevant advice.

BCP 38 is very simple:

1. If your IP address is then drop any Internet-bound packets
which purport to be -from- any address which is not
2. If your IP address is then drop any packets FROM the
Internet which purport to be -from-

That's it!

Bill Herrin

I agree.

However I will add that it's trivial to extend the destination based filtering to be sourced based filtering by enabling reverse path filtering.

Adding the bogons as destinations to a routing table (that is processed) is compatible with reverse path filtering. Putting the bogons in IPTables / NFTables is incompatible with reverse path filtering.

Stephen: I've not done this with NetPlan but I do this on Linux and have found it to be extremely effective when combined with reverse path filtering. I have an EBGP feed from Team Cymru and augment it (additional routing tables) with (e-)DROP and federated Fail-2-Ban. I like it!