summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-11-15 18:45:13 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-11-15 18:45:13 +0100
commit03715d2f15999a33f67f55e418c3c8e912c64a12 (patch)
tree09c1abb8fdd88f793e2a5543dd5183ceee78e659
parent8e09a3277931c307e17d037b826fb8efd8979c2d (diff)
Firewall: Always include 172.16.0.0/12 to the bogon list.
Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.
-rwxr-xr-xroles/common/templates/etc/nftables.conf.j22
1 files changed, 0 insertions, 2 deletions
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index 33407c9..8d81d4c 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -79,9 +79,7 @@ table netdev filter {
, 100.64.0.0/10 # shared address space (RFC 6598)
, 127.0.0.0/8 # loopback (RFC 1122, sec. 3.2.1.3)
, 169.254.0.0/16 # link local (RFC 3927)
-{% if not addr | ipaddr('172.16.0.0/12') %}
, 172.16.0.0/12 # private-use (RFC 1918)
-{% endif %}
, 192.0.0.0/24 # IETF protocol assignments (RFC 6890 sec. 2.1)
, 192.0.2.0/24 # documentation (RFC 5737)
{% if not addr | ipaddr('192.168.0.0/16') %}