Hello,

> On 14 Oct 2021, at 20:08, Tom Rymes <tom(a)rymes.net> wrote:
> 
> 
> 
>> On Oct 14, 2021, at 2:28 PM, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>> 
>> Hello,
>> 
>>> On 13 Oct 2021, at 17:21, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
> [ snip]
> 
>>> Yes. My imagination of bug #12031 is to have three new checkboxes on the firewall options CGI
>>> to drop all traffic from and to
>>> (a) IP networks not being globally routable ("martians")
> 
> [snip]
> 
>>> (a) is something we (I) can implement straight away. As soon as this patch has been merged,
>> 
>> 
>> (a) will need a lot of exceptions:
>> 
>> * Networks that are locally connected (GREEN, BLUE, ORANGE, RED)
>> * All VPNs (OpenVPN, IPsec, H2N and N2N)
>> * All static routes
>> * Maybe some SNAT/DNAT rules?
>> 
>> These will have to be auto-generated and not bother the admins.
>> 
>> Maybe it would be better to solve this in another way than using iptables.
> 
> [snip]
> 
> Is “carrier-grade NAT” no longer a thing?

It is, but there is address space that is allocated for that.

Bogons would be address space that isn’t allocated to anyone - of which there probably isn’t much.

> Also, users behind a NAT router/modem/whatever will run into issues, though that’s maybe handled by excluding Locally connected networks as mentioned above?

Yes, that is an absolute necessity.

> 
> Tom
> 
>