diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2010-11-28 17:11:44 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2010-11-28 17:11:44 +0000 |
| commit | ee45f40b239b55c3fd78fe75c0303cd5a067a804 (patch) | |
| tree | 04c28db5c377be17eff0965cd77cf2dbf1349163 /etc/bgpd.conf | |
| parent | 13f8b9b046fe096f3099705bf73e573398c047c5 (diff) | |
Update example filterset to include a basic IPv6 filterset.
While there extend the current IPv4 filterset.
OK sthen@, henning@
Diffstat (limited to 'etc/bgpd.conf')
| -rw-r--r-- | etc/bgpd.conf | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/etc/bgpd.conf b/etc/bgpd.conf index f111fdd5463..29610dc5d5f 100644 --- a/etc/bgpd.conf +++ b/etc/bgpd.conf @@ -1,4 +1,4 @@ -# $OpenBSD: bgpd.conf,v 1.10 2010/10/13 08:27:44 sthen Exp $ +# $OpenBSD: bgpd.conf,v 1.11 2010/11/28 17:11:43 claudio Exp $ # sample bgpd configuration file # see bgpd.conf(5) @@ -77,18 +77,35 @@ neighbor 10.2.1.1 { aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b } -# filter out prefixes longer than 24 or shorter than 8 bits +# filter out prefixes longer than 24 or shorter than 8 bits for IPv4 +# and longer than 48 or shorter than 16 bits for IPv6. deny from any allow from any inet prefixlen 8 - 24 +allow from any inet6 prefixlen 16 - 48 # accept a default route (since the previous rule blocks this) #allow from any prefix 0.0.0.0/0 -# filter bogus networks +# filter bogus networks according to RFC5735 +deny from any prefix 0.0.0.0/8 prefixlen >= 8 deny from any prefix 10.0.0.0/8 prefixlen >= 8 -deny from any prefix 172.16.0.0/12 prefixlen >= 12 -deny from any prefix 192.168.0.0/16 prefixlen >= 16 +deny from any prefix 127.0.0.0/8 prefixlen >= 8 deny from any prefix 169.254.0.0/16 prefixlen >= 16 +deny from any prefix 172.16.0.0/12 prefixlen >= 12 deny from any prefix 192.0.2.0/24 prefixlen >= 24 +deny from any prefix 192.168.0.0/16 prefixlen >= 16 +deny from any prefix 198.18.0.0/15 prefixlen >= 15 +deny from any prefix 198.51.100.0/24 prefixlen >= 24 +deny from any prefix 203.0.113.0/24 prefixlen >= 24 deny from any prefix 224.0.0.0/4 prefixlen >= 4 deny from any prefix 240.0.0.0/4 prefixlen >= 4 + +# filter bogus IPv6 networks according to IANA +deny from any prefix ::/8 prefixlen >= 8 +deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849] +deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843] +deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone +deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast +deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast +deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast +deny from any prefix ff00::/8 prefixlen >= 8 # multicast |