log level warn prefix "non-public: " counter drop
}
chain check-public {
- ip saddr 0.0.0.0/8 counter goto non-public
- ip saddr 10.0.0.0/8 counter goto non-public
- ip saddr 127.0.0.0/8 counter goto non-public
- ip saddr 169.254.0.0/16 counter goto non-public
- ip saddr 172.16.0.0/12 counter goto non-public
- ip saddr 192.0.2.0/24 counter goto non-public
- ip saddr 192.168.0.0/16 counter goto non-public
- ip saddr 224.0.0.0/3 counter goto non-public
- ip saddr 240.0.0.0/5 counter goto non-public
- ip6 saddr ::/0 counter goto non-public
- ip6 saddr ::/96 counter goto non-public
- ip6 saddr ::/128 counter goto non-public
- ip6 saddr ::1/128 counter goto non-public
- ip6 saddr ::ffff:0.0.0.0/96 counter goto non-public
- ip6 saddr ::224.0.0.0/100 counter goto non-public
- ip6 saddr ::127.0.0.0/104 counter goto non-public
- ip6 saddr ::0.0.0.0/104 counter goto non-public
- ip6 saddr ::255.0.0.0/104 counter goto non-public
- ip6 saddr 0000::/8 counter goto non-public
- ip6 saddr 0200::/7 counter goto non-public
- ip6 saddr 3ffe::/16 counter goto non-public
- ip6 saddr 2001:db8::/32 counter goto non-public
- ip6 saddr 2002:e000::/20 counter goto non-public
- ip6 saddr 2002:7f00::/24 counter goto non-public
- ip6 saddr 2002:0000::/24 counter goto non-public
- ip6 saddr 2002:ff00::/24 counter goto non-public
- ip6 saddr 2002:0a00::/24 counter goto non-public
- ip6 saddr 2002:ac10::/28 counter goto non-public
- ip6 saddr 2002:c0a8::/32 counter goto non-public
- ip6 saddr fc00::/7 counter goto non-public
- ip6 saddr fe80::/10 counter goto non-public
- ip6 saddr fec0::/10 counter goto non-public
- ip6 saddr ff00::/8 counter goto non-public
+ ip saddr 0.0.0.0/8 counter goto non-public comment "Self identification"
+ ip saddr 0.0.0.0/32 counter goto non-public comment "Broadcast"
+ ip saddr 10.0.0.0/8 counter goto non-public comment "Private Networks (rfc1918)"
+ ip saddr 127.0.0.0/8 counter goto non-public comment "Loopback"
+ ip saddr 128.0.0.0/16 counter goto non-public comment "IANA Reserved (rfc3330)"
+ ip saddr 169.254.0.0/16 counter goto non-public comment "Local"
+ ip saddr 172.16.0.0/12 counter goto non-public comment "Private Networks (rfc1918)"
+ ip saddr 192.0.2.0/24 counter goto non-public comment "TEST-NET-1 (rfc5737)"
+ ip saddr 192.168.0.0/16 counter goto non-public comment "Networks (rfc1918)"
+ ip saddr 198.51.100.0/24 counter goto non-public comment "TEST-NET-2 (rfc5737)"
+ ip saddr 203.0.113.0/24 counter goto non-public comment "TEST-NET-3 (rfc5737)"
+ ip saddr 224.0.0.0/3 counter goto non-public comment "Multicast"
+ ip saddr 240.0.0.0/5 counter goto non-public comment "Class E Reserved"
+ ip saddr 191.255.0.0/16 counter goto non-public comment "Reserved (rfc3330)"
+ ip saddr 192.0.0.0/24 counter goto non-public comment "IANA Reserved (rfc3330)"
+ ip saddr 198.18.0.0/15 counter goto non-public comment "Network Interconnect Device Benchmark Testing"
+ ip saddr 223.255.255.0/24 counter goto non-public comment "Special Use Networks (rfc3330)"
+
+ ip6 saddr ::/0 counter goto non-public comment "Default (can be advertised as a route in BGP to peers if desired)"
+ ip6 saddr ::/96 counter goto non-public comment "IPv4-compatible IPv6 address – deprecated by rfc4291"
+ ip6 saddr ::/128 counter goto non-public comment "Unspecified address"
+ ip6 saddr ::1 /128 counter goto non-public comment "Local host loopback address"
+ ip6 saddr ::ffff:0.0.0.0 /96 counter goto non-public comment "IPv4-mapped addresses"
+ ip6 saddr ::224.0.0.0 /100 counter goto non-public comment "Compatible address (IPv4 format)"
+ ip6 saddr ::127.0.0.0 /104 counter goto non-public comment "Compatible address (IPv4 format)"
+ ip6 saddr ::0.0.0.0 /104 counter goto non-public comment "Compatible address (IPv4 format)"
+ ip6 saddr ::255.0.0.0 /104 counter goto non-public comment "Compatible address (IPv4 format)"
+ ip6 saddr 0000:: /8 counter goto non-public comment "Pool used for unspecified, loopback and embedded IPv4 addresses"
+ ip6 saddr 0200:: /7 counter goto non-public comment "OSI NSAP-mapped prefix set (rfc4548) – deprecated by rfc4048"
+ ip6 saddr 3ffe::/16 counter goto non-public comment "Former 6bone, now decommissioned"
+ ip6 saddr 2001:db8::/32 counter goto non-public comment "Reserved by IANA for special purposes and documentation"
+ ip6 saddr 2002:e000:: /20 counter goto non-public comment "Invalid 6to4 packets (IPv4 multicast)"
+ ip6 saddr 2002:7f00:: /24 counter goto non-public comment "Invalid 6to4 packets (IPv4 loopback)"
+ ip6 saddr 2002:0000:: /24 counter goto non-public comment "Invalid 6to4 packets (IPv4 default)"
+ ip6 saddr 2002:ff00:: /24 counter goto non-public comment "Invalid 6to4 packets"
+ ip6 saddr 2002:0a00:: /24 counter goto non-public comment "Invalid 6to4 packets (IPv4 private 10.0.0.0/8 network)"
+ ip6 saddr 2002:ac10:: /28 counter goto non-public comment "Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network)"
+ ip6 saddr 2002:c0a8:: /32 counter goto non-public comment "Invalid 6to4 packets (IPv4 private 192.168.0.0/16 network)"
+ ip6 saddr fc00:: /7 counter goto non-public comment "Unicast Unique Local Addresses (ULA) – rfc4193"
+ ip6 saddr fe80:: /10 counter goto non-public comment "Link-local Unicast"
+ ip6 saddr fec0:: /10 counter goto non-public comment "Site-local Unicast – deprecated by rfc3879 (replaced by ULA)"
+ ip6 saddr ff00:: /8 counter goto non-public comment "Multicast"
}
chain accept-icmpv6 {
# Traffic That Must Not Be Dropped
sourcephile / git / julm / julm-nix.git / blobdiff