Print Page - Rule to block bogons is not working

Title: Rule to block bogons is not working
Post by: ednt on April 11, 2022, 12:17:43 PM

Hi,

we are using 22.1.3 and tried to create a blocking rule for bogon networks on one of our interfaces.
It is not working.
We tried to ping from the etwork on this interface to one of our other local interfaces with

ping 192.168.21.12

it still worked.
To check the blocking rule, we removed bogons as destination and used 192.168.0.0/16
This blocked the trafic. But since we have also VPNs and other networks with local addresses we want the bogons destination. So I searched again:

Code Select


find / | grep bogo
/usr/local/opnsense/scripts/filter/update_bogons.sh
/usr/local/etc/bogonsv6
/usr/local/etc/bogons.sample
/usr/local/etc/bogonsv6.sample
/usr/local/etc/bogons
/tmp/bogons
/tmp/bogons/bogons.txz.sig
/tmp/bogons/bogons.txz
/tmp/bogons/fullbogons-ipv4.txt
/tmp/bogons/fullbogons-ipv6.txt

Now the strange thing:
In the file /usr/local/etc/bogons, which I thought it is the 'main' file,
192.168.0.0/16
10.0.0.0/8
is not included.

I also tried to add the 192.168.0.0/16 via the GUI in Firewall Advanced Settings, but without success.
Still not blocked.

Where is my fault?

It is for a guest access which should not have access to our local networks.

Title: Re: Rule to block bogons is not working
Post by: Patrick M. Hausen on April 11, 2022, 12:48:11 PM

RFC 1918 networks are not considered "bogons" by most operators I know (including myself).

There are essentially (leaving out multicast):

public addresses - they can appear and are routed on the Internet
private addresses - they should not appear on the Internet
bogons - they should not appear either in private networks nor on the Internet

Title: Re: Rule to block bogons is not working
Post by: ednt on April 11, 2022, 02:19:16 PM

But in the file

/tmp/bogons/fullbogons-ipv4.txt

192.168.0.0/16
10.0.0.0/8

is included.
So which file is used for the bogons alias in OPNsense?

According to
https://en.wikipedia.org/wiki/Bogon_filtering

The private networks are bogons.

And as noted above they are listed in the /tmp/bogons/fullbogons-ipv4.txt file which is named *bogons*.

Title: Re: Rule to block bogons is not working
Post by: ednt on April 11, 2022, 02:32:23 PM

Ok , found something in /usr/local/opnsense/scripts/filter/update_bogons.sh:

Code Select


    # private and pseudo-private networks will be excluded
    # as they are being operated by a separate GUI option
    egrep -v "^100.64.0.0/10|^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" ${WORKDIR}/fullbogons-ipv4.txt > ${DESTDIR}/bogons

So they are explicit excluded from the bogon file.
But what is the separate GUI option ?

Title: Re: Rule to block bogons is not working
Post by: ednt on April 11, 2022, 02:39:55 PM

Ok, found it:

an alias called 'Private_Networks'

OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: ednt on April 11, 2022, 12:17:43 PM