[OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping
Brian J. Murrell
brian at interlinx.bc.ca
Tue Jun 16 12:47:12 EDT 2015
On Tue, 2015-06-16 at 17:05 +0200, Steven Barth wrote:
> You should see an unreachable route for your own local ULA /48.
Indeed:
fd31:aeb1:48df::/64 dev br-lan proto static metric 1024
unreachable fd31:aeb1:48df::/48 dev lo proto static metric 2147483647 error -128
> Also if your clients try to use your local ULA as source to reach
> anything outside of the ULA (e.g. global addresses) this is blocked
> (there is no matching route - simpler explanation to my previous post).
Hrm. How is that done, since that is source-route matching? Not via
the normal routing table, right?
> I don't see any particular point to blocking all of the ULA-space as
> destination though.
The point is to give an immediate failure (i.e. ENETUNREACH) to
misguided attempts to connect to the ULA space via one's Internet
connection. These typically happen when somebody else misguidedly puts
the ULA address for their host into their global DNS zone instead of the
global address. Yes, it should just time out eventually, but why make
them wait for that?
> If you think its useful for you
It seems to me to be useful to everybody. And TBH, I'm surprised it's
not a requirement of some RFC, as I was unable to find any such
requirement although I found recommendations.
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150616/525a5f37/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list