Jak Głosi Wikipedia Bogon, to nieformalna nazwa pakietu o takim adresie źródłowym, który nie powinien istnieć w danej sieci. Pochodzi od ang. bogus – zmyślony, fałszywy)
Konfiguracja, routera w tym artykule jest na podstawie MikroTik, ale powinna być zastosowana na wszystkich routerach, wszystkich vendorów.
Do rzeczy, typowa adresacja sieci LAN to np. 192.168.0.0/24 lub 10.0.0.0/8 opisana jest w dokumencie RFC 1918. Czyli teoretycznie pakiet IP z takim adresem źródłowym nigdy nie powinien pojawić się na interfejsie WAN. Oprócz wyżej wymienionych jest jeszcze kilka tego rodzaju adresów:
0.0.0.0/8 Self-Identification RFC 3330127.0.0.0/8 Loopback RFC 3330169.254.0.0/16 Link Local RFC 3330172.16.0.0/12 Private RFC 1918192.0.2.0/24 Reserved – IANA – TestNet1192.88.99.0/24 6to4 Relay Anycast RFC 3068198.18.0.0/15 NIDB Testing198.51.100.0/24 Reserved – IANA – TestNet2203.0.113.0/24 Reserved – IANA – TestNet3224.0.0.0/4 MC, Class D, IANA
Można zabronić takiego ruchu przychodzącego na routerze od strony WAN. Robimy to za pomocą utworzenia listy zabronionych adresacji:
/ip firewall address-list add address=0.0.0.0/8 comment="Self-Identification RFC3330" list=bogons
/ip firewall address-list add address=10.0.0.0/8 comment="Private RFC1918" list=bogons
/ip firewall address-list add address=127.0.0.0/8 comment="Loopback RFC3330" list=bogons
/ip firewall address-list add address=169.254.0.0/16 comment="Link Local RFC3330" list=bogons
/ip firewall address-list add address=172.16.0.0/12 comment="Private RFC1918" list=bogons
/ip firewall address-list add address=192.168.0.0/16 comment="Private RFC1918" list=bogons
/ip firewall address-list add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 Relay Anycast RFC3068" list=bogons
/ip firewall address-list add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
/ip firewall address-list add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
/ip firewall address-list add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
/ip firewall address-list add address=224.0.0.0/4 comment="MC, Class D, IANA" list=bogonsA Następnie dodanie odpowiedniej reguły filtrującej określając w niej interfejs WAN (in-interface=):
/ip firewall raw add action=drop chain=prerouting in-interface=WAN src-address-list=bogonsP.S. Nie stosuj tych reguł (lub je dostosuj) jeżeli na swoim interfejsie WAN nie posiadasz publicznej adresacji IP (np. korzystasz z LTE bez publicznego IP).
Koniec 🙂
Jeżeli pomogłem to 
,a będę miał więcej energii na pisanie kolejnych ciekawych wpisów.
Witam 🙂
dorzucam swoją zaktualizowaą listę – może się cos przyda
/ip firewall filter
add address=127.0.0.0/8 comment=”defconf: RFC6890 – loopback” list=non-routable-ipv4
add address=192.0.0.0/24 comment=”defconf: RFC6890 – reserved” list=non-routable-ipv4
add address=192.0.2.0/24 comment=”defconf: RFC6890 – TEST-NET-1″ list=non-routable-ipv4
add address=198.51.100.0/24 comment=”defconf: RFC6890 – TEST-NET-2″ list=non-routable-ipv4
add address=203.0.113.0/24 comment=”defconf: RFC6890 – TEST-NET-3″ list=non-routable-ipv4
add address=240.0.0.0/4 comment=”defconf: RFC6890 – reserved” list=non-routable-ipv4
add address=0.0.0.0/8 comment=”defconf: RFC6890 – this network” list=non-routable-ipv4
add address=10.0.0.0/8 comment=”defconf: RFC6890 – private network” list=non-routable-ipv4
add address=100.64.0.0/10 comment=”defconf: RFC6890 – CGNAT” list=non-routable-ipv4
add address=169.254.0.0/16 comment=”defconf: RFC6890 – link-local” list=non-routable-ipv4
add address=172.16.0.0/12 comment=”defconf: RFC6890 – private network” list=non-routable-ipv4
add address=192.0.0.0/29 comment=”defconf: RFC6890 – IETF Protocol Assignments” list=non-routable-ipv4
add address=192.168.0.0/16 comment=”defconf: RFC6890 – private network” list=non-routable-ipv4
add address=198.18.0.0/15 comment=”defconf: RFC6890 – benchmark testing” list=non-routable-ipv4
add address=255.255.255.255 comment=”defconf: RFC6890 – limited broadcast” list=non-routable-ipv4
add address=224.0.0.0/4 comment=”defconf: RFC6890 – multicast” list=non-routable-ipv4
add address=192.88.99.0/24 comment=”defconf: RFC3068 – 6to4 prefix” list=non-routable-ipv4
add address=192.175.48.0/24 comment=”defconf: RFC7535 – AS112-v4″ list=non-routable-ipv4
add address=192.31.196.0/24 comment=”defconf: RFC7535 – AS112-v4″ list=non-routable-ipv4
add address=192.52.193.0/24 comment=”defconf: RFC7535 – AS112-v4″ list=non-routable-ipv4
add address=198.35.0.0/24 comment=”defconf: RFC7535 – AS112-v4″ list=non-routable-ipv4
add address=233.252.0.0/24 comment=”defconf: RFC5771 – MCAST-TEST-NET” list=non-routable-ipv4
add address=192.0.0.170 comment=”defconf: RFC6052 – NAT64 prefix” list=non-routable-ipv4
add address=192.0.0.171 comment=”defconf: RFC6052 – NAT64 prefix” list=non-routable-ipv4
oraz reguły filtrowania in/out
/ip firewall raw
add action=drop chain=prerouting comment=”drop non-routable source IPs from WAN” in-interface-list=WAN src-address-list=non-routable-ipv4
add action=drop chain=prerouting comment=”drop non-routable destination IPs from WAN” dst-address-list=non-routable-ipv4 in-interface-list=WAN
add action=drop chain=output comment=”drop non-routable source IPs to WAN” out-interface-list=WAN src-address-list=non-routable-ipv4
add action=drop chain=output comment=”drop non-routable destination IPs to WAN” dst-address-list=non-routable-ipv4 out-interface-list=WAN
przy czym 2 ostatnie – nie wiem czy zadziałaja na raw/output/lista ale jeśli coś złapią to jest zdecydowanie zła konfiguracja routera 🙂
Witam 🙂
dorzucam swoją zaktualizowaą listę – może się cos przyda
(mała poprawka)
/ip firewall address-list
add address=127.0.0.0/8 comment=”defconf: RFC6890 – loopback” list=non-routable-ipv4
add address=192.0.0.0/24 comment=”defconf: RFC6890 – reserved” list=non-routable-ipv4
add address=192.0.2.0/24 comment=”defconf: RFC6890 – TEST-NET-1″ list=non-routable-ipv4
add address=198.51.100.0/24 comment=”defconf: RFC6890 – TEST-NET-2″ list=non-routable-ipv4
add address=203.0.113.0/24 comment=”defconf: RFC6890 – TEST-NET-3″ list=non-routable-ipv4
add address=240.0.0.0/4 comment=”defconf: RFC6890 – reserved” list=non-routable-ipv4
add address=0.0.0.0/8 comment=”defconf: RFC6890 – this network” list=non-routable-ipv4
add address=10.0.0.0/8 comment=”defconf: RFC6890 – private network” list=non-routable-ipv4
add address=100.64.0.0/10 comment=”defconf: RFC6890 – CGNAT” list=non-routable-ipv4
add address=169.254.0.0/16 comment=”defconf: RFC6890 – link-local” list=non-routable-ipv4
add address=172.16.0.0/12 comment=”defconf: RFC6890 – private network” list=non-routable-ipv4
add address=192.0.0.0/29 comment=”defconf: RFC6890 – IETF Protocol Assignments” list=non-routable-ipv4
add address=192.168.0.0/16 comment=”defconf: RFC6890 – private network” list=non-routable-ipv4
add address=198.18.0.0/15 comment=”defconf: RFC6890 – benchmark testing” list=non-routable-ipv4
add address=255.255.255.255 comment=”defconf: RFC6890 – limited broadcast” list=non-routable-ipv4
add address=224.0.0.0/4 comment=”defconf: RFC6890 – multicast” list=non-routable-ipv4
add address=192.88.99.0/24 comment=”defconf: RFC3068 – 6to4 prefix” list=non-routable-ipv4
add address=192.175.48.0/24 comment=”defconf: RFC7535 – AS112-v4″ list=non-routable-ipv4
add address=192.31.196.0/24 comment=”defconf: RFC7535 – AS112-v4″ list=non-routable-ipv4
add address=192.52.193.0/24 comment=”defconf: RFC7535 – AS112-v4″ list=non-routable-ipv4
add address=198.35.0.0/24 comment=”defconf: RFC7535 – AS112-v4″ list=non-routable-ipv4
add address=233.252.0.0/24 comment=”defconf: RFC5771 – MCAST-TEST-NET” list=non-routable-ipv4
add address=192.0.0.170 comment=”defconf: RFC6052 – NAT64 prefix” list=non-routable-ipv4
add address=192.0.0.171 comment=”defconf: RFC6052 – NAT64 prefix” list=non-routable-ipv4
oraz reguły filtrowania in/out
/ip firewall raw
add action=drop chain=prerouting comment=”drop non-routable source IPs from WAN” in-interface-list=WAN src-address-list=non-routable-ipv4
add action=drop chain=prerouting comment=”drop non-routable destination IPs from WAN” dst-address-list=non-routable-ipv4 in-interface-list=WAN
add action=drop chain=output comment=”drop non-routable source IPs to WAN” out-interface-list=WAN src-address-list=non-routable-ipv4
add action=drop chain=output comment=”drop non-routable destination IPs to WAN” dst-address-list=non-routable-ipv4 out-interface-list=WAN
przy czym 2 ostatnie – nie wiem czy zadziałaja na raw/output/lista ale jeśli coś złapią to jest zdecydowanie zła konfiguracja routera 🙂