diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-11-15 18:45:13 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-11-15 18:45:13 +0100 |
| commit | 03715d2f15999a33f67f55e418c3c8e912c64a12 (patch) | |
| tree | 09c1abb8fdd88f793e2a5543dd5183ceee78e659 /roles | |
| parent | 8e09a3277931c307e17d037b826fb8efd8979c2d (diff) | |
Firewall: Always include 172.16.0.0/12 to the bogon list.
Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap
so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.
Diffstat (limited to 'roles')
| -rwxr-xr-x | roles/common/templates/etc/nftables.conf.j2 | 2 |
1 files changed, 0 insertions, 2 deletions
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index 33407c9..8d81d4c 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -62,43 +62,41 @@ table netdev filter { packet-too-big, time-exceeded, parameter-problem } counter accept # accept neighbour discovery for autoconfiguration, RFC 4890 sec. 4.4.1 ip6 hoplimit 255 icmpv6 type { 133,134,135,136,141,142 } counter accept # accept link-local multicast receiver notification messages ip6 saddr fe80::/10 ip6 daddr ff02::/16 ip6 hoplimit 1 icmpv6 type { 130,131,132,143 } counter accept # drop all remaining ICMP/ICMPv6 traffic meta l4proto { icmp, icmpv6 } counter drop # bogon filter (cf. RFC 6890 for non-global ip addresses) define bogon = { 0.0.0.0/8 # this host, on this network (RFC 1122 sec. 3.2.1.3) {% if not addr | ipaddr('10.0.0.0/8') %} , 10.0.0.0/8 # private-use (RFC 1918) {% endif %} , 100.64.0.0/10 # shared address space (RFC 6598) , 127.0.0.0/8 # loopback (RFC 1122, sec. 3.2.1.3) , 169.254.0.0/16 # link local (RFC 3927) -{% if not addr | ipaddr('172.16.0.0/12') %} , 172.16.0.0/12 # private-use (RFC 1918) -{% endif %} , 192.0.0.0/24 # IETF protocol assignments (RFC 6890 sec. 2.1) , 192.0.2.0/24 # documentation (RFC 5737) {% if not addr | ipaddr('192.168.0.0/16') %} , 192.168.0.0/16 # private-use (RFC 1918) {% endif %} , 198.18.0.0/15 # benchmarking (RFC 2544) , 198.51.100.0/24 # documentation (RFC 5737) , 203.0.113.0/24 # documentation (RFC 5737) , 224.0.0.0/3 # multicast - class D 224.0.0.0/4 + class E 240.0.0.0/4 (RFC 1112 sec. 4) , 255.255.255.255/32 # limited broadcast (RFC 0919 sec. 7) } ip saddr $bogon counter drop ip daddr $bogon counter drop # See also https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt define bogon6 = { ::1/128 # loopback address (RFC 4291) , ::/128 # unspecified (RFC 4291) , ::ffff:0:0/96 # IPv4-mapped address (RFC 4291) |