I have a standard network group that I filter traffic entering my networks from that should not be routed on the internet (from various RFCs) including RFC1918 (which I am using internally).
Is there any performance reason to null route all these prefixes instead of adding them as a firewall rule? I'm guessing it would need benchmarks, but I'm curious if anyone has done this and can share.
Null routing 10.0.0.0/8 (for example) wouldn't matter to me, because most specific prefix wins, and my directly connected (or learned via routing protocol) networks are definitely more specific than a /8
So this (simplified, removed all but RFC1918):
firewall {
group {
network-group IPv4_BOGONS {
network 10.0.0.0/8
network 172.16.0.0/12
network 192.168.0.0/16
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 5 {
action drop
description "Drop bogons inbound"
source {
group {
network-group IPv4_BOGONS
}
}
}
vs. this:
protocols {
static {
route 10.0.0.0/8 {
blackhole {
}
}
route 172.16.0.0/12 {
blackhole {
}
}
route 192.168.0.0/16 {
blackhole {
}
}
}
}
