Friday, October 7, 2016

The Whole Internet Again!

Several years ago I wrote a post about how to write firewall rules to include or exclude the whole internet, but JUST the internet. I found I needed that chunk of ASA config again, so I came back to get it. Thanks to a commenter earlier this year in an old post, who noticed that I was missing a block of includes, I've updated the list. A chunk of the 203.0.0.0 space was missing. I've also excluded the RFC6598 CGN private space.

And it's still only IPv4.

 (Exclude 0.0.0.0 - 0.255.255.255)
 1.0.0.0      /8 = 1.0.0.0 - 1.255.255.255
 2.0.0.0      /7 = 2.0.0.0 - 3.255.255.255
 4.0.0.0      /6 = 4.0.0.0 - 7.255.255.255
 8.0.0.0      /7 = 8.0.0.0 - 9.255.255.255
 (Exclude 10.0.0.0 - 10.255.255.255)
 11.0.0.0     /8 = 11.0.0.0 - 11.255.255.255
 12.0.0.0     /6 = 12.0.0.0 - 15.255.255.255
 16.0.0.0     /4 = 16.0.0.0 - 31.255.255.255
 32.0.0.0     /3 = 32.0.0.0 - 63.255.255.255
 64.0.0.0     /3 = 64.0.0.0 - 95.255.255.255
 96.0.0.0     /6 = 96.0.0.0 - 99.255.255.255
 100.0.0.0   /10 = 100.0.0.0 - 100.63.255.255
 (Exclude 100.64.0.0 - 100.127.255.255)
 100.128.0.0 /9 = 100.128.0.0 - 100.255.255.255
 101.0.0.0    /8 = 101.0.0.0 - 101.255.255.255
 102.0.0.0    /7 = 102.0.0.0 - 103.255.255.255
 104.0.0.0    /5 = 104.0.0.0 - 111.255.255.255
 112.0.0.0    /5 = 112.0.0.0 - 119.255.255.255
 120.0.0.0    /6 = 120.0.0.0 - 123.255.255.255
 124.0.0.0    /7 = 124.0.0.0 - 125.255.255.255
 126.0.0.0    /8 = 126.0.0.0 - 126.255.255.255
 (Exclude 127.0.0.0 - 127.255.255.255)
 128.0.0.0    /3  = 128.0.0.0 - 159.255.255.255
 160.0.0.0    /5  = 160.0.0.0 - 167.255.255.255
 168.0.0.0    /8  = 168.0.0.0 - 168.255.255.255
 169.0.0.0    /9  = 169.0.0.0 - 169.127.255.255
 169.128.0.0  /10 = 169.128.0.0 - 169.191.255.255
 169.192.0.0  /11 = 169.192.0.0 - 169.223.255.255
 169.224.0.0  /12 = 169.224.0.0 - 169.239.255.255
 169.240.0.0  /13 = 169.240.0.0 - 169.247.255.255
 169.248.0.0  /14 = 169.248.0.0 - 169.251.255.255
 169.252.0.0  /15 = 169.252.0.0 - 169.253.255.255
 (Exclude 169.254.0.0 - 169.254.255.255)
 169.255.0.0  /16 = 169.255.0.0 - 169.255.255.255
 170.0.0.0    /7  = 170.0.0.0 - 171.255.255.255
 172.0.0.0    /12 = 172.0.0.0 - 172.15.255.255
 (Exclude 172.16.0.0 - 172.31.255.255)
 172.32.0.0   /11 = 172.32.0.0 - 172.63.255.255
 172.64.0.0   /10 = 172.64.0.0 - 172.127.255.255
 172.128.0.0  /9  = 172.128.0.0 - 172.255.255.255
 173.0.0.0    /8  = 173.0.0.0 - 173.255.255.255
 174.0.0.0    /7  = 174.0.0.0 - 175.255.255.255
 176.0.0.0    /4  = 176.0.0.0 - 191.255.255.255
 (Exclude 192.0.0.0 - 192.0.0.255)
 192.0.1.0    /24 = 192.0.1.0 - 192.0.1.255
 (Exclude 192.0.2.0 - 192.0.2.255)
 192.0.3.0    /24 = 192.0.3.0 - 192.0.3.255
 192.0.4.0    /22 = 192.0.4.0 - 198.0.7.255
 192.0.8.0    /21 = 192.0.8.0 - 192.0.15.255
 192.0.16.0   /20 = 192.0.16.0 - 192.0.31.255
 192.0.32.0   /19 = 192.0.32.0 - 192.0.63.255
 192.0.64.0   /18 = 192.0.64.0 - 192.0.127.255
 192.0.128.0  /17 = 192.0.128.0 - 192.0.255.255
 192.1.0.0    /16 = 192.1.0.0 - 192.1.255.255
 192.2.0.0    /15 = 192.2.0.0 - 192.3.255.255
 192.4.0.0    /14 = 192.4.0.0 - 192.7.255.255
 192.8.0.0    /13 = 192.8.0.0 - 192.15.255.255
 192.16.0.0   /12 = 192.16.0.0 - 192.31.255.255
 192.32.0.0   /11 = 192.32.0.0 - 192.63.255.255
 192.64.0.0   /10 = 192.64.0.0 - 192.127.255.255
 192.128.0.0  /11 = 192.128.0.0 - 192.159.255.255
 192.160.0.0  /13 = 192.160.0.0 - 192.167.255.255
 (Exclude 192.168.0.0 /16)
 192.169.0.0  /16 = 192.169.0.0 - 192.169.255.255
 192.170.0.0  /15 = 192.170.0.0 - 192.171.255.255
 192.172.0.0  /14 = 192.172.0.0 - 192.175.255.255
 192.176.0.0  /12 = 192.176.0.0 - 192.191.255.255
 192.192.0.0  /10 = 192.192.0.0 - 192.255.255.255
 193.0.0.0    /8  = 193.0.0.0 - 193.255.255.255
 194.0.0.0    /7  = 194.0.0.0 - 195.255.255.255
 196.0.0.0    /7  = 196.0.0.0 - 197.255.255.255
 198.0.0.0    /12 = 198.0.0.0 - 198.15.255.255
 198.16.0.0   /15 = 198.16.0.0 - 198.17.255.255
 (Exclude 198.18.0.0 /15)
 198.20.0.0   /14 = 198.20.0.0 - 198.23.255.255
 198.24.0.0   /13 = 198.24.0.0 - 198.31.255.255
 198.32.0.0   /12 = 198.32.0.0 - 198.47.255.255
 198.48.0.0   /15 = 198.48.0.0 - 198.49.255.255
 198.50.0.0   /16 = 198.50.0.0 - 198.50.255.255
 198.51.0.0   /18 = 198.51.0.0 - 198.51.63.244
 198.51.64.0  /19 = 198.51.64.0 - 198.51.95.255
 198.51.96.0  /22 = 198.51.96.0 - 198.51.99.255
 (Exclude 198.51.100.0/24)
 198.51.101.0 /24 = 198.51.101.0 - 198.51.101.255
 198.51.102.0 /23 = 198.51.102.0 - 198.51.103.255
 198.51.104.0 /21 = 192.51.104.0 - 198.51.111.255
 198.51.112.0 /20 = 198.51.112.0 - 198.51.127.255
 198.51.128.0 /17 = 198.51.128.0 - 198.51.255.255
 198.52.0.0   /14 = 198.52.0.0 - 192.55.255.255
 198.56.0.0   /13 = 198.56.0.0 - 198.63.255.255
 198.64.0.0   /10 = 198.64.0.0 - 198.127.255.255
 198.128.0.0  /9  = 198.128.0.0 - 192.255.255.255
 199.0.0.0    /8  = 199.0.0.0 - 199.255.255.255
 200.0.0.0    /7  = 200.0.0.0 - 201.255.255.255
 202.0.0.0    /8  = 202.0.0.0 - 202.255.255.255
 203.0.0.0    /18 = 203.0.0.0 - 203.0.63.255
 203.0.64.0   /19 = 203.0.64.0 - 203.0.95.255
 203.0.96.0   /20 = 203.0.96.0 - 203.0.111.255
 203.0.112.0  /24 = 203.0.112.0 - 203.0.112.255
 (Exclude 203.0.113.0/24)
 203.0.114.0  /23 = 203.0.114.0 - 203.0.115.255
 203.0.116.0  /22 = 203.0.116.0 - 203.0.119.255
 203.0.120.0  /21 = 203.0.120.0 - 203.0.127.255
 203.0.128.0  /17 = 203.0.128.0 - 203.0.255.255
 203.1.0.0 /16 = 203.1.0.0 - 203.1.255.255
 203.2.0.0 /15 = 203.2.0.0 - 203.3.255.255
 203.4.0.0 /14 = 203.4.0.0 - 203.7.255.255
 203.8.0.0 /13 = 203.8.0.0 - 203.15.255.255
 203.16.0.0 /12 = 203.16.0.0 - 203.31.255.255
 203.32.0.0 /11 = 203.32.0.0 - 203.63.255.255
 203.64.0.0 /10 = 203.64.0.0 - 203.127.255.255
 203.128.0.0 /9 = 203.128.0.0 - 203.255.255.255
 204.0.0.0    /6  = 204.0.0.0 - 207.255.255.255
 208.0.0.0    /4  = 208.0.0.0 - 223.255.255.255
 (Exclude 224.0.0.0 - 255.255.255.255)

Finally, created an ASA script out of that:

! ASA config-script, subnet-based. (Good for 8.2 and previous) 
! This will create a bunch of unnamed network objects that you may or may not hate. YMMV. Also why are you still running 8.2?

 object-group network NET-INET-VALID
 network-object 1.0.0.0      255.0.0.0 
 network-object 2.0.0.0      254.0.0.0 
 network-object 4.0.0.0      252.0.0.0
 network-object 8.0.0.0      254.0.0.0
 network-object 11.0.0.0     255.0.0.0
 network-object 12.0.0.0     252.0.0.0
 network-object 16.0.0.0     240.0.0.0
 network-object 32.0.0.0     224.0.0.0
 network-object 64.0.0.0     224.0.0.0
 network-object 96.0.0.0     240.0.0.0
 network-object 112.0.0.0    248.0.0.0
 network-object 120.0.0.0    252.0.0.0
 network-object 124.0.0.0    254.0.0.0
 network-object 126.0.0.0    255.0.0.0
 network-object 128.0.0.0    224.0.0.0
 network-object 160.0.0.0    248.0.0.0
 network-object 168.0.0.0    255.0.0.0
 network-object 169.0.0.0    255.128.0.0
 network-object 169.128.0.0  255.192.0.0
 network-object 169.192.0.0  255.224.0.0
 network-object 169.224.0.0  255.240.0.0
 network-object 169.240.0.0  255.248.0.0
 network-object 169.248.0.0  255.252.0.0
 network-object 169.252.0.0  255.254.0.0
 network-object 169.255.0.0  255.255.0.0
 network-object 170.0.0.0    254.0.0.0  
 network-object 172.0.0.0    255.240.0.0
 network-object 172.32.0.0   255.224.0.0
 network-object 172.64.0.0   255.192.0.0
 network-object 172.128.0.0  255.128.0.0
 network-object 173.0.0.0    255.0.0.0  
 network-object 174.0.0.0    254.0.0.0  
 network-object 176.0.0.0    240.0.0.0  
 network-object 192.0.1.0    255.255.255.0
 network-object 192.0.3.0    255.255.255.0
 network-object 192.0.4.0    255.255.252.0
 network-object 192.0.8.0    255.255.248.0
 network-object 192.0.16.0   255.255.240.0
 network-object 192.0.32.0   255.255.224.0
 network-object 192.0.64.0   255.255.192.0
 network-object 192.0.128.0  255.255.128.0
 network-object 192.1.0.0    255.255.0.0
 network-object 192.2.0.0    255.254.0.0
 network-object 192.4.0.0    255.252.0.0
 network-object 192.8.0.0    255.248.0.0
 network-object 192.16.0.0   255.240.0.0
 network-object 192.32.0.0   255.224.0.0
 network-object 192.64.0.0   255.192.0.0
 network-object 192.128.0.0  255.224.0.0
 network-object 192.160.0.0  255.248.0.0
 network-object 192.169.0.0  255.255.0.0
 network-object 192.170.0.0  255.254.0.0
 network-object 192.172.0.0  255.252.0.0
 network-object 192.176.0.0  255.248.0.0 
 network-object 192.184.0.0  255.248.0.0
 network-object 192.192.0.0  255.192.0.0
 network-object 193.0.0.0    255.0.0.0
 network-object 194.0.0.0    254.0.0.0
 network-object 196.0.0.0    254.0.0.0
 network-object 198.0.0.0    255.240.0.0
 network-object 198.16.0.0   255.254.0.0
 network-object 198.20.0.0   255.252.0.0
 network-object 198.24.0.0   255.248.0.0
 network-object 198.32.0.0   255.240.0.0
 network-object 198.48.0.0   255.254.0.0
 network-object 198.50.0.0   255.255.0.0
 network-object 198.51.0.0   255.255.192.0
 network-object 198.51.64.0  255.255.224.0
 network-object 198.51.96.0  255.255.252.0
 network-object 198.51.101.0 255.255.255.0
 network-object 198.51.102.0 255.255.254.0
 network-object 198.51.104.0 255.255.248.0
 network-object 198.51.112.0 255.255.240.0
 network-object 198.51.128.0 255.255.128.0
 network-object 198.52.0.0   255.252.0.0
 network-object 198.56.0.0   255.248.0.0
 network-object 198.64.0.0   255.192.0.0
 network-object 198.128.0.0  255.128.0.0
 network-object 199.0.0.0    255.0.0.0
 network-object 200.0.0.0    254.0.0.0
 network-object 202.0.0.0    255.0.0.0
 network-object 203.0.0.0    255.255.192.0
 network-object 203.0.64.0   255.255.224.0
 network-object 203.0.96.0   255.255.240.0
 network-object 203.0.112.0  255.255.255.0
 network-object 203.0.114.0  255.255.254.0
 network-object 203.0.116.0  255.255.252.0
 network-object 203.0.120.0  255.255.248.0
 network-object 203.0.128.0  255.255.128.0
 network-object 203.1.0.0  255.255.0.0
 network-object 203.2.0.0  255.254.0.0
 network-object 203.4.0.0  255.252.0.0
 network-object 203.8.0.0  255.248.0.0
 network-object 203.16.0.0  255.240.0.0
 network-object 203.32.0.0  255.224.0.0
 network-object 203.64.0.0  255.192.0.0
 network-object 203.128.0.0  255.128.0.0
 network-object 204.0.0.0    252.0.0.0
 network-object 208.0.0.0    240.0.0.0


For ASA 8.3 or later, there's also this much simpler range-based version.

 ! ASA Config script, Range-based (for ASA 8.3 and up)

object network NET-INET-RANGE1  
 range 1.0.0.0      9.255.255.255
object network NET-INET-RANGE2  
 range 11.0.0.0     100.63.255.255
object network NET-INET-RANGE3
 range 100.128.0.0  126.255.255.255
object network NET-INET-RANGE4
 range 128.0.0.0    169.253.255.255
object network NET-INET-RANGE5  
 range 169.255.0.0  172.15.255.255
object network NET-INET-RANGE6  
 range 172.32.0.0   191.255.255.255
object network NET-INET-RANGE7  
 range 192.0.1.0    192.0.1.255
object network NET-INET-RANGE8  
 range 192.0.3.0    192.88.98.255
object network NET-INET-RANGE9  
 range 192.88.100.0 192.167.255.255
object network NET-INET-RANGE10  
 range 192.169.0.0  198.17.255.255
object network NET-INET-RANGE11 
 range 198.20.0.0   198.51.99.255
object network NET-INET-RANGE12 
 range 198.51.101.0 203.0.112.255
object network NET-INET-RANGE13 
 range 203.0.114.0  223.255.255.255
object-group network NET-INET-VALID
 network-object object NET-INET-RANGE1
 network-object object NET-INET-RANGE2
 network-object object NET-INET-RANGE3
 network-object object NET-INET-RANGE4
 network-object object NET-INET-RANGE5
 network-object object NET-INET-RANGE6
 network-object object NET-INET-RANGE7
 network-object object NET-INET-RANGE8
 network-object object NET-INET-RANGE9
 network-object object NET-INET-RANGE10
 network-object object NET-INET-RANGE11
 network-object object NET-INET-RANGE12
 network-object object NET-INET-RANGE13

Posted by at 1 comment:
Subscribe to: Posts (Atom)