198.51.100.99 - Odd choice of blocking address
I understand that the Firewalla performs site blocking via DNS. What seems odd is that the destination IP is a specific remote IP rather than NXDOMAIN or maybe pointing at an alias for the firewalla itself -- and providing a mechanism to put up a 'sorry' page. Yes SSL certs would be an issue, but that seems better than pointing every blocked site at a specific remote instance.
Currently that IP exists and is refusing http/https connections. However it does mean if someone takes over that IP they could then see what everyone has blocked as clients would connect and send the Host: header.
What is the rationale behind using this IP as the destination for blocked sites?
-
Hi Jason,
This IP address is from a reserved IP address block, which is not supposed to be used by anybody else in a production environment.
Reference: https://tools.ietf.org/html/rfc5737
The reason a separated IP address is used instead of the Firewalla IP is to differentiate real traffic to Firewalla itself or blocked traffics. And we could apply different logic for different reserved IP addresses. For example, for 100.99 it will be silently dropped, for 100.100, it will be active rejected, for 100.101, it will be redirect to a sorry page.
Note: a "sorry" page will be implemented in the future.
Thanks,
Melvin
-
Ah, I see my mistake.
tcpdump output:
08:08:18.787502 IP 192.168.1.67.53647 > 198.51.100.99.http: Flags [S], seq 204322262, win 29200, options [mss 1460,sackOK,TS val 238832614 ecr 0,nop,wscale 7], length 0
08:08:18.787979 IP 192.168.1.225 > 192.168.1.67: ICMP 198.51.100.99 tcp port http unreachable, length 68The Firewalla is replying with 'icmp port unreachable' which my browser showed as Connection Refused. It is not going out to a remote instance.
Thank you for the detailed reply.
Please sign in to leave a comment.
Comments
2 comments