diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-11-15 18:45:13 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-11-15 18:45:13 +0100 |
commit | 03715d2f15999a33f67f55e418c3c8e912c64a12 (patch) | |
tree | 09c1abb8fdd88f793e2a5543dd5183ceee78e659 | |
parent | 8e09a3277931c307e17d037b826fb8efd8979c2d (diff) |
Firewall: Always include 172.16.0.0/12 to the bogon list.
Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap
so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.
-rwxr-xr-x | roles/common/templates/etc/nftables.conf.j2 | 2 |
1 files changed, 0 insertions, 2 deletions
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index 33407c9..8d81d4c 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -79,9 +79,7 @@ table netdev filter { , 100.64.0.0/10 # shared address space (RFC 6598) , 127.0.0.0/8 # loopback (RFC 1122, sec. 3.2.1.3) , 169.254.0.0/16 # link local (RFC 3927) -{% if not addr | ipaddr('172.16.0.0/12') %} , 172.16.0.0/12 # private-use (RFC 1918) -{% endif %} , 192.0.0.0/24 # IETF protocol assignments (RFC 6890 sec. 2.1) , 192.0.2.0/24 # documentation (RFC 5737) {% if not addr | ipaddr('192.168.0.0/16') %} |