Well, at least the IP ranges we expect. Most FW use “ANY” or 0.0.0.0/0 for the Internet. It’s basically a catch all. However we can actually define it a bit better than that. If we exclude RFC 1918 spaces, DHCP reserved, Multicast etc. We can easily create a list of the IPv4 internet.

Why? Well Policy Based Routing is one. If we want to send Internet traffic a specific route but excluding all the internal RFC 1918 ranges we are using, we need to be more specific.

It is also good for default outbound rules. Stops you accidentally sending packets to internal addresses out your public interface

config firewall address
    edit "0.0.0.0-9.255.255.255"
        set type iprange
        set end-ip 9.255.255.255
    next
    edit "11.0.0.0-100.63.255.255"
        set type iprange
        set start-ip 11.0.0.0
        set end-ip 100.63.255.255
    next
    edit "100.128.0.0-126.255.255.255"
        set type iprange
        set start-ip 100.128.0.0
        set end-ip 126.255.255.255
    next
    edit "128.0.0.0-169.253.255.255"
        set type iprange
        set start-ip 128.0.0.0
        set end-ip 169.253.255.255
    next
    edit "169.255.0.0-172.15.255.255"
        set type iprange
        set start-ip 169.255.0.0
        set end-ip 172.15.255.255
    next
    edit "172.32.0.0-192.167.255.255"
        set type iprange
        set start-ip 172.32.0.0
        set end-ip 192.167.255.255
    next
    edit "192.169.0.0-223.255.255.255"
        set type iprange
        set start-ip 192.169.0.0
        set end-ip 223.255.255.255
    next
end


config firewall addrgrp
    edit "InternetSubnets"
        set member "0.0.0.0-9.255.255.255" "11.0.0.0-100.63.255.255" "100.128.0.0-126.255.255.255"  "128.0.0.0-169.253.255.255" "169.255.0.0-172.15.255.255" "172.32.0.0-192.167.255.255" "192.169.0.0-223.255.255.255"
    next
end

Lets define the Internet
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *