From 03715d2f15999a33f67f55e418c3c8e912c64a12 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 15 Nov 2020 18:45:13 +0100 Subject: Firewall: Always include 172.16.0.0/12 to the bogon list. Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12. --- roles/common/templates/etc/nftables.conf.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index 33407c9..8d81d4c 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -79,9 +79,7 @@ table netdev filter { , 100.64.0.0/10 # shared address space (RFC 6598) , 127.0.0.0/8 # loopback (RFC 1122, sec. 3.2.1.3) , 169.254.0.0/16 # link local (RFC 3927) -{% if not addr | ipaddr('172.16.0.0/12') %} , 172.16.0.0/12 # private-use (RFC 1918) -{% endif %} , 192.0.0.0/24 # IETF protocol assignments (RFC 6890 sec. 2.1) , 192.0.2.0/24 # documentation (RFC 5737) {% if not addr | ipaddr('192.168.0.0/16') %} -- cgit v1.2.3