diff options
| author | Peter Hessler <phessler@cvs.openbsd.org> | 2012-04-27 12:02:48 +0000 |
|---|---|---|
| committer | Peter Hessler <phessler@cvs.openbsd.org> | 2012-04-27 12:02:48 +0000 |
| commit | 4f4f417aea9ca14a7d538f17a739b0f9e33f251c (patch) | |
| tree | 85e19be71be1410b4794ef30dc0624fb12e16b00 /etc | |
| parent | d0882008fddb2c6ecbd07bcf676925ca3a43e318 (diff) | |
Add a brief comment describing each bogus v4 network that is filtered by
default, similar to the v6 entries.
While here, add a filter for 100.64.0.0/10, which is now reserved by RFC 6598
OK henning@, sthen@
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/bgpd.conf | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/etc/bgpd.conf b/etc/bgpd.conf index a55bcd4874b..1542fb53d8f 100644 --- a/etc/bgpd.conf +++ b/etc/bgpd.conf @@ -1,4 +1,4 @@ -# $OpenBSD: bgpd.conf,v 1.12 2011/01/19 07:36:40 claudio Exp $ +# $OpenBSD: bgpd.conf,v 1.13 2012/04/27 12:02:47 phessler Exp $ # sample bgpd configuration file # see bgpd.conf(5) @@ -87,18 +87,19 @@ allow from any inet6 prefixlen 16 - 48 #allow from any prefix 0.0.0.0/0 # filter bogus networks according to RFC5735 -deny from any prefix 0.0.0.0/8 prefixlen >= 8 -deny from any prefix 10.0.0.0/8 prefixlen >= 8 -deny from any prefix 127.0.0.0/8 prefixlen >= 8 -deny from any prefix 169.254.0.0/16 prefixlen >= 16 -deny from any prefix 172.16.0.0/12 prefixlen >= 12 -deny from any prefix 192.0.2.0/24 prefixlen >= 24 -deny from any prefix 192.168.0.0/16 prefixlen >= 16 -deny from any prefix 198.18.0.0/15 prefixlen >= 15 -deny from any prefix 198.51.100.0/24 prefixlen >= 24 -deny from any prefix 203.0.113.0/24 prefixlen >= 24 -deny from any prefix 224.0.0.0/4 prefixlen >= 4 -deny from any prefix 240.0.0.0/4 prefixlen >= 4 +deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122] +deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918] +deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598] +deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122] +deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927] +deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918] +deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737] +deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918] +deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544] +deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737] +deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737] +deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast +deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved # filter bogus IPv6 networks according to IANA deny from any prefix ::/8 prefixlen >= 8 |