1

I was wondering if there's any benefit of adding following rules to a Raspberry-Pi directly exposed to the internet:

sudo ufw deny to 0.0.0.0/8 && 
sudo ufw deny to 169.254.0.0/16 && 
sudo ufw deny to 172.16.0.0/12  && 
sudo ufw deny to 224.0.0.0/4 &&
sudo ufw deny to 240.0.0.0/5 && 
sudo ufw deny to 239.255.255.0/24 && 
sudo ufw deny to 255.255.255.255

which will lead to

enter image description here

I have set default inbound to deny all, however in the interest of hardening a Raspi installation would the above rules help?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Parth Maniar
  • 349
  • 1
  • 10
  • Please do not post images of text. Copy/paste and use the code formatting tool – schroeder Oct 06 '18 at 16:05
  • What are you specifically trying to do with the above rules? I know 172.16 is a private IP range, but I'm not familiar with the other ranges you attempted to block. Are you trying to prevent against attacks from outside your network? Attacks from inside your network? We need more I fo about why you chose these specific rules. – Daisetsu Oct 06 '18 at 17:09
  • 1
    The purpose is to eliminate IP ranges not in use - either by me in my environment or not allocated. It's bogon filtering. Please read more about it head - https://en.wikipedia.org/wiki/Bogon_filtering. The purpose of asking was to understand if anyone has idea on default state of UFW. In most cases ingress and egress filtering take care of the private IP ranges but what about others? Is it required in UFW or not. I couldn't find details in the rules or the man pages. – Parth Maniar Oct 06 '18 at 17:12
  • It seems to me that the bogon addressss wouldn't make it past your ISP. They're non routable to the outside world, so I can't imagine what the danger would be. You're probably better off blocking IP ranges allocated to countries you know you will never connect to, but represent a significant portion of malware (Russia/China) – Daisetsu Oct 06 '18 at 18:06
  • 1
    Hey thank you for that. I will try and post about how these lists pose threat :) A good new research point is a blacklist that UFW can automatically subscribe to! – Parth Maniar Oct 06 '18 at 18:17
  • 1
    I did a bit of digging and it appears Team Cymru currently maintains lists of bogon ranges, and updates them as ranges are assigned. Maybe you could use that as an input and transform it I to something UFW can use https://www.team-cymru.com/bogon-reference-http.html I'm not familiar with the ability of UFW to subscribe to a list. Is that new? – Daisetsu Oct 06 '18 at 18:28

0 Answers0