OpenWrt Forum Archive

Topic: config bcp38?

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
tapper
24 Apr 2016, 13:45

Any one know how to config bcp38. Do I has a home user need it?
From what i have read about it it sounds like a thing that should be on by default in openwrt. pros? cons? Thanks.

(Last edited by tapper on 24 Apr 2016, 14:00)

Post #2
moeller0
24 Apr 2016, 15:11

I believe that the BCP38 package in openwrt should typically not need any configuration. And yes everybody should be using it. Quick detour: bcp 38 addresses source address spoofing; in short it instructs openwrt to discard packets with an "impossible" source address (any source address from outside the address range/pool the router "knows" it handles on its LAN side). If everybody would be doing this (actually rather all edge ISPs) (D)DOS attacks would be much harder to implement... If I recall correctly the BCP38 luci-app allows to configure unusual network configurations, but things should work out of the box for "normal" setups.

Best Regards
        P.

Post #3
tapper
24 Apr 2016, 18:01

Hi thanks for your rundown. I installed it
'opkg update;'
'opkg install bcp38'

Then to get it to work is it just a matter of changing /etc/config/bcp38 to read like this?

config bcp38
    option enabled 1
    option interface 'eth1'
    option detect_upstream 1
    list match '127.0.0.0/8'
    list match '0.0.0.0/8'       # RFC 1700
    list match '240.0.0.0/4'     # RFC 5745
    list match '192.0.2.0/24'    # RFC 5737
    list match '198.51.100.0/24' # RFC 5737
    list match '203.0.113.0/24'  # RFC 5737
    list match '192.168.0.0/16'  # RFC 1918
    list match '10.0.0.0/8'      # RFC 1918
    list match '172.16.0.0/12'   # RFC 1918
    list match '169.254.0.0/16'  # RFC 3927

#     list nomatch '172.26.0.0/21' # Example of something not to match
#    There is a dhcp trigger to do this for the netmask of a
#    double natted connection needed

#    I will argue that this level of indirection doesn't scale
#     very well - see how to block china as an example
#    http://www.okean.com/china.txt


The key part being.
    option enabled 1?
then rebooting.

(Last edited by tapper on 24 Apr 2016, 18:02)

Post #4
moeller0
24 Apr 2016, 23:02
tapper wrote:

Hi thanks for your rundown. I installed it
'opkg update;'
'opkg install bcp38'

Then to get it to work is it just a matter of changing /etc/config/bcp38 to read like this?

config bcp38
    option enabled 1
    option interface 'eth1'
    option detect_upstream 1
    list match '127.0.0.0/8'
    list match '0.0.0.0/8'       # RFC 1700
    list match '240.0.0.0/4'     # RFC 5745
    list match '192.0.2.0/24'    # RFC 5737
    list match '198.51.100.0/24' # RFC 5737
    list match '203.0.113.0/24'  # RFC 5737
    list match '192.168.0.0/16'  # RFC 1918
    list match '10.0.0.0/8'      # RFC 1918
    list match '172.16.0.0/12'   # RFC 1918
    list match '169.254.0.0/16'  # RFC 3927

#     list nomatch '172.26.0.0/21' # Example of something not to match
#    There is a dhcp trigger to do this for the netmask of a
#    double natted connection needed

#    I will argue that this level of indirection doesn't scale
#     very well - see how to block china as an example
#    http://www.okean.com/china.txt


The key part being.
    option enabled 1?
then rebooting.

I would also install luci-app-bcp38 and then look under the Network -> Firewall -> BCP38 sub-tab for configuration. There I believe clicking "save&apply" should be sufficient avoiding the need for a reboot...

Best Regards
        M.

Post #5
tapper
25 Apr 2016, 08:50

Hi i have to do it using winscp as i am running Gargoyle. is there a way to test if it's working? thanks

Post #6
tapper
25 Apr 2016, 09:13

heres my network file.

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd68:7e70:3d3f::/48'

config interface 'lan'
    option ifname 'eth1'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '208.67.222.222 208.67.220.220'

config interface 'wan'
    option ifname 'eth0'
    option proto 'dhcp'
    option mtu '1492'
    option dns '208.67.222.222 208.67.220.220'
    option peerdns '0'

config interface 'wan6'
    option ifname 'eth0'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 2 3 4 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '1 6'


In my /etc/config/bcp38 do you want it to listen on the Wan not the lan?
Rite now myne says.
    option interface 'eth1'
Witch is my lan. My wan is on eth0
Wich is the rite way pleas?

Post #7
moeller0
25 Apr 2016, 11:51

Hi tapper,

so here is mine:
config bcp38
    option interface 'eth1'
    option detect_upstream '1'
    list match '127.0.0.0/8'
    list match '0.0.0.0/8'
    list match '240.0.0.0/4'
    list match '192.0.2.0/24'
    list match '198.51.100.0/24'
    list match '203.0.113.0/24'
    list match '192.168.0.0/16'
    list match '10.0.0.0/8'
    list match '172.16.0.0/12'
    list match '169.254.0.0/16'
    option enabled '1'
    list nomatch '192.168.2.0/24'

Note I white-listed 192.168.2.0/24 but I never tested whether I actually need this.


with /etc/config/network containing:
config interface 'wan'
    option _orig_ifname 'eth1'
    option _orig_bridge 'false'
    option ifname 'eth1'
    option proto 'dhcp'

So you need to point it to the wan interface, or eth0 in your case. For testing I see https://spoofer.caida.org. Which will probably only work for IPv6 as for IPv4 NAT will "hide/remap" the un-acceptable addresses as seen on the wan side.

Best Regards
        M.

The discussion might have continued from here.