[OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

Brian J. Murrell brian at interlinx.bc.ca
Tue Jun 16 12:47:12 EDT 2015


On Tue, 2015-06-16 at 17:05 +0200, Steven Barth wrote:
> You should see an unreachable route for your own local ULA /48.

Indeed:

fd31:aeb1:48df::/64 dev br-lan  proto static  metric 1024 
unreachable fd31:aeb1:48df::/48 dev lo  proto static  metric 2147483647  error -128

> Also if your clients try to use your local ULA as source to reach
> anything outside of the ULA (e.g. global addresses) this is blocked
> (there is no matching route - simpler explanation to my previous post).

Hrm.  How is that done, since that is source-route matching?  Not via
the normal routing table, right?

> I don't see any particular point to blocking all of the ULA-space as
> destination though.

The point is to give an immediate failure (i.e. ENETUNREACH) to
misguided attempts to connect to the ULA space via one's Internet
connection.  These typically happen when somebody else misguidedly puts
the ULA address for their host into their global DNS zone instead of the
global address.  Yes, it should just time out eventually, but why make
them wait for that?

> If you think its useful for you

It seems to me to be useful to everybody.  And TBH, I'm surprised it's
not a requirement of some RFC, as I was unable to find any such
requirement although I found recommendations.

Cheers,
b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150616/525a5f37/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list