tgdante2 icon indicating copy to clipboard operation
tgdante2 copied to clipboard

Published 20 hours ago verified publisher icon schors

Deny access to local subnets as well (not only 127.0.0.0/8)

Open justabaka opened this issue 6 years ago • 2 comments

That would be great in terms of security if you're also hosting other VMs or projects your proxy users shouldn't be able to access directly.

justabaka avatar Apr 19 '18 13:04 justabaka

Denying RFC1918 blocks is certainly a good start, but these are definitely not the only ones which are private.

I'd suggest to also deny the following ones:

  • RFC5737 (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24)
  • RFC3171 Multicast (224.0.0.0/4)
  • Broadcast (255.255.255.255/32)

RFC5735 (which is updated by RFC6598) has a more complete list of reserved address blocks at section 4.

KostyaEsmukov avatar Apr 22 '18 10:04 KostyaEsmukov

BTW for IPv6 the FC00::/7 block is also considered local (see RFC4193).

KostyaEsmukov avatar Apr 22 '18 10:04 KostyaEsmukov