Firewall and ASN

[anthael]

Hi

How can i implement asn rules in firewall ?

Thanks by advance

[opn_nwo]

You can't. I submitted a feature request a while back to add ASN support to aliases. Hopefully it will be implemented in the future.

[Patrick M. Hausen]

Seriously how would you expect this feature to be implemented? A whois lookup for every packet is of course out of the question. Regular AS database updates? From which source?

[IsaacFL]

There are lists that you can download an ip list to an Alias and use it as a rule.  For Example, Apple is ASN 714 and this is the list I use:

https://api.hackertarget.com/aslookup/?q=AS714

For others, just change the numbers to the ASN number.  So for Valve (Steam) I use AS32590

https://api.hackertarget.com/aslookup/?q=AS32590

[Patrick M. Hausen]

I know that you can lookup individual AS numbers and their networks. I am in charge of AS16188. 
My question is if there is an exhaustive list for download (I am not aware of one), how much storage and memory is it going to take, and will the alias subsystem scale to a couple of hundred thousand of entries? Which I doubt. Specifically the last one.

So of course this is a perfectly valid feature request but the implementation is far from straightforward in my opinion. Which is probably the reason why nobody has started to work on it, yet.

[opn_nwo]

Seriously how would you expect this feature to be implemented? A whois lookup for every packet is of course out of the question. Regular AS database updates? From which source?

With pfSense, pfBlocker can do it no problem. It creates an alias based on a specific ASN.

[Patrick M. Hausen]

Seriously how would you expect this feature to be implemented? A whois lookup for every packet is of course out of the question. Regular AS database updates? From which source?

With pfSense, pfBlocker can do it no problem. It creates an alias based on a specific ASN.

Interesting. Thanks. Does it update that alias regularly?

[IsaacFL]

As far as pfBlocker, the update rate is set when you set it up the alias.

I typically set it up to refresh about once a week.

It seems to be a pretty common service offered by different vendors as a commercial service. I think it is based on the routing tables via BGP. When I was researching there are also programs you can download to process them locally.

The site I listed https://hackertarget.com/as-ip-lookup/ includes both ipv4 and ipv6 and they have a free tier for up to 50 queries a day. 

None of the lists I download are that big, since they are CIDR domains, the Apple AS714 is the largest I download at 1251 entries.

[mimugmail]

Anyone knows where pflocker loads these lists? Then a small Plugin should be easy

[AdSchellevis]

https://api.bgpview.io/asn/[asn]/prefixes

But looks like an Oracle company, it would probably be more safe to query the source databases directly, which is likely what aslookup is doing (http://aslookup.bgpview.org/index-e.html).

If there's a "open" source for the data, I don't mind adding an ASN type at some point in time in the core product, but trying to query commercial databases is waiting for trouble to happen.

[mimugmail]

http://thyme.apnic.net/current/data-ASnet-detail

APNIC seems fine I'd guess

[IsaacFL]

http://thyme.apnic.net/current/data-ASnet-detail

APNIC seems fine I'd guess

This does not seem to have ipv6.

[IsaacFL]

https://api.bgpview.io/asn/[asn]/prefixes

But looks like an Oracle company, it would probably be more safe to query the source databases directly, which is likely what aslookup is doing (http://aslookup.bgpview.org/index-e.html).

If there's a "open" source for the data, I don't mind adding an ASN type at some point in time in the core product, but trying to query commercial databases is waiting for trouble to happen.

Maybe a better approach would just be to put an Example setup in the documentation similar to the Spamhaus example.

https://api.hackertarget.com/aslookup/?q=AS[asn] outputs in a format that works well with opnsense URL Table with no further processing needed.

[opnsenuser]

Hi,
sorry for digging up this old thread...
Maybe the Ripe stat APi could be used .?
Documentation is available @ stat.ripe.net/docs/data_aip

br
opnsenuser

[aesth]

Seriously how would you expect this feature to be implemented? A whois lookup for every packet is of course out of the question. Regular AS database updates? From which source?

whois -h whois.radb.net -- '-i origin AS714' | awk '/^route:/ {print $2}' > ip table alias