From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] location-functions.pl: Recognise XD / LOC_NETWORK_FLAG_DROP Date: Thu, 14 Oct 2021 20:26:14 +0100 Message-ID: <4ECE7D79-0B1D-4965-9148-351770248081@ipfire.org> In-Reply-To: <867B5E27-DD53-42D1-BE4C-E6D21E6A0DA8@rymes.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8030612223736596621==" List-Id: --===============8030612223736596621== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 14 Oct 2021, at 20:08, Tom Rymes wrote: >=20 >=20 >=20 >> On Oct 14, 2021, at 2:28 PM, Michael Tremer = wrote: >>=20 >> =EF=BB=BFHello, >>=20 >>> On 13 Oct 2021, at 17:21, Peter M=C3=BCller = wrote: >>>=20 > [ snip] >=20 >>> Yes. My imagination of bug #12031 is to have three new checkboxes on the = firewall options CGI >>> to drop all traffic from and to >>> (a) IP networks not being globally routable ("martians") >=20 > [snip] >=20 >>> (a) is something we (I) can implement straight away. As soon as this patc= h has been merged, >>=20 >>=20 >> (a) will need a lot of exceptions: >>=20 >> * Networks that are locally connected (GREEN, BLUE, ORANGE, RED) >> * All VPNs (OpenVPN, IPsec, H2N and N2N) >> * All static routes >> * Maybe some SNAT/DNAT rules? >>=20 >> These will have to be auto-generated and not bother the admins. >>=20 >> Maybe it would be better to solve this in another way than using iptables. >=20 > [snip] >=20 > Is =E2=80=9Ccarrier-grade NAT=E2=80=9D no longer a thing? It is, but there is address space that is allocated for that. Bogons would be address space that isn=E2=80=99t allocated to anyone - of whi= ch there probably isn=E2=80=99t much. > Also, users behind a NAT router/modem/whatever will run into issues, though= that=E2=80=99s maybe handled by excluding Locally connected networks as ment= ioned above? Yes, that is an absolute necessity. >=20 > Tom >=20 >=20 --===============8030612223736596621==--