Firewall and ASN

Started by anthael, August 17, 2021, 11:07:01 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
August 17, 2021, 11:07:01 AM
Hi

How can i implement asn rules in firewall ?

Thanks by advance
August 17, 2021, 05:00:14 PM #1
You can't. I submitted a feature request a while back to add ASN support to aliases. Hopefully it will be implemented in the future.
August 17, 2021, 06:31:49 PM #2
Seriously how would you expect this feature to be implemented? A whois lookup for every packet is of course out of the question. Regular AS database updates? From which source?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 17, 2021, 07:49:51 PM #3
There are lists that you can download an ip list to an Alias and use it as a rule.  For Example, Apple is ASN 714 and this is the list I use:

https://api.hackertarget.com/aslookup/?q=AS714

For others, just change the numbers to the ASN number.  So for Valve (Steam) I use AS32590

https://api.hackertarget.com/aslookup/?q=AS32590

August 17, 2021, 09:47:59 PM #4
I know that you can lookup individual AS numbers and their networks. I am in charge of AS16188.  ;)
My question is if there is an exhaustive list for download (I am not aware of one), how much storage and memory is it going to take, and will the alias subsystem scale to a couple of hundred thousand of entries? Which I doubt. Specifically the last one.

So of course this is a perfectly valid feature request but the implementation is far from straightforward in my opinion. Which is probably the reason why nobody has started to work on it, yet.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 17, 2021, 09:54:13 PM #5
Quote from: pmhausen on August 17, 2021, 06:31:49 PM
Seriously how would you expect this feature to be implemented? A whois lookup for every packet is of course out of the question. Regular AS database updates? From which source?

With pfSense, pfBlocker can do it no problem. It creates an alias based on a specific ASN.
August 17, 2021, 10:10:27 PM #6
Quote from: opn_nwo on August 17, 2021, 09:54:13 PM
Quote from: pmhausen on August 17, 2021, 06:31:49 PM
Seriously how would you expect this feature to be implemented? A whois lookup for every packet is of course out of the question. Regular AS database updates? From which source?

With pfSense, pfBlocker can do it no problem. It creates an alias based on a specific ASN.
Interesting. Thanks. Does it update that alias regularly?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 18, 2021, 02:30:34 AM #7
As far as pfBlocker, the update rate is set when you set it up the alias.

I typically set it up to refresh about once a week.

It seems to be a pretty common service offered by different vendors as a commercial service. I think it is based on the routing tables via BGP. When I was researching there are also programs you can download to process them locally.

The site I listed https://hackertarget.com/as-ip-lookup/ includes both ipv4 and ipv6 and they have a free tier for up to 50 queries a day. 

None of the lists I download are that big, since they are CIDR domains, the Apple AS714 is the largest I download at 1251 entries.
August 18, 2021, 09:31:04 AM #8
Anyone knows where pflocker loads these lists? Then a small Plugin should be easy
August 18, 2021, 10:00:36 AM #9
https://api.bgpview.io/asn/[asn]/prefixes

But looks like an Oracle company, it would probably be more safe to query the source databases directly, which is likely what aslookup is doing (http://aslookup.bgpview.org/index-e.html).

If there's a "open" source for the data, I don't mind adding an ASN type at some point in time in the core product, but trying to query commercial databases is waiting for trouble to happen.
August 18, 2021, 11:23:48 AM #10
August 18, 2021, 04:12:08 PM #11
August 18, 2021, 04:48:55 PM #12
Quote from: AdSchellevis on August 18, 2021, 10:00:36 AM
https://api.bgpview.io/asn/[asn]/prefixes

But looks like an Oracle company, it would probably be more safe to query the source databases directly, which is likely what aslookup is doing (http://aslookup.bgpview.org/index-e.html).

If there's a "open" source for the data, I don't mind adding an ASN type at some point in time in the core product, but trying to query commercial databases is waiting for trouble to happen.

Maybe a better approach would just be to put an Example setup in the documentation similar to the Spamhaus example.

https://api.hackertarget.com/aslookup/?q=AS[asn] outputs in a format that works well with opnsense URL Table with no further processing needed.



September 18, 2021, 07:51:02 PM #13
Hi,
sorry for digging up this old thread... ;)
Maybe the Ripe stat APi could be used .?
Documentation is available @ stat.ripe.net/docs/data_aip

br
opnsenuser
September 18, 2021, 08:29:26 PM #14
Quote from: pmhausen on August 17, 2021, 06:31:49 PM
Seriously how would you expect this feature to be implemented? A whois lookup for every packet is of course out of the question. Regular AS database updates? From which source?
whois -h whois.radb.net -- '-i origin AS714' | awk '/^route:/ {print $2}' > ip table alias
Print
Go Up Pages1 2
User actions