> On Oct 14, 2021, at 2:28 PM, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
> 
> Hello,
> 
>> On 13 Oct 2021, at 17:21, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>> 
[ snip]

>> Yes. My imagination of bug #12031 is to have three new checkboxes on the firewall options CGI
>> to drop all traffic from and to
>> (a) IP networks not being globally routable ("martians")

[snip]

>> (a) is something we (I) can implement straight away. As soon as this patch has been merged,
> 
> 
> (a) will need a lot of exceptions:
> 
> * Networks that are locally connected (GREEN, BLUE, ORANGE, RED)
> * All VPNs (OpenVPN, IPsec, H2N and N2N)
> * All static routes
> * Maybe some SNAT/DNAT rules?
> 
> These will have to be auto-generated and not bother the admins.
> 
> Maybe it would be better to solve this in another way than using iptables.

[snip]

Is “carrier-grade NAT” no longer a thing?

Also, users behind a NAT router/modem/whatever will run into issues, though that’s maybe handled by excluding Locally connected networks as mentioned above?

Tom