blob: 488daab68f8af1bfdfbce7073f43e92e9228ba52 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
config bcp38
option enabled 0
option interface 'eth1'
option detect_upstream 1
list match '127.0.0.0/8'
list match '192.0.2.0/24' # RFC 5737
list match '198.51.100.0/24' # RFC 5737
list match '203.0.113.0/24' # RFC 5737
list match '192.168.0.0/16' # RFC 1918
list match '10.0.0.0/8' # RFC 1918
list match '172.16.0.0/12' # RFC 1918
list match '169.254.0.0/16' # RFC 3927
# list nomatch '172.26.0.0/21' # Example of something not to match
# There is a dhcp trigger to do this for the netmask of a
# double natted connection needed
# You can only specify IPv4 addresses here - for IPv6, only source
# specific default routes will be installed, which achieves the same
# without needing any firewall routes.
# I will argue that this level of indirection doesn't scale
# very well - see how to block china as an example
# http://www.okean.com/china.txt
|