From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rymes To: development@lists.ipfire.org Subject: Re: [PATCH] location-functions.pl: Recognise XD / LOC_NETWORK_FLAG_DROP Date: Thu, 14 Oct 2021 15:08:56 -0400 Message-ID: <867B5E27-DD53-42D1-BE4C-E6D21E6A0DA8@rymes.net> In-Reply-To: <2AA9AF20-B04A-4D64-82B2-ADF8ED39408F@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6775384365885573102==" List-Id: --===============6775384365885573102== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > On Oct 14, 2021, at 2:28 PM, Michael Tremer w= rote: >=20 > =EF=BB=BFHello, >=20 >> On 13 Oct 2021, at 17:21, Peter M=C3=BCller w= rote: >>=20 [ snip] >> Yes. My imagination of bug #12031 is to have three new checkboxes on the f= irewall options CGI >> to drop all traffic from and to >> (a) IP networks not being globally routable ("martians") [snip] >> (a) is something we (I) can implement straight away. As soon as this patch= has been merged, >=20 >=20 > (a) will need a lot of exceptions: >=20 > * Networks that are locally connected (GREEN, BLUE, ORANGE, RED) > * All VPNs (OpenVPN, IPsec, H2N and N2N) > * All static routes > * Maybe some SNAT/DNAT rules? >=20 > These will have to be auto-generated and not bother the admins. >=20 > Maybe it would be better to solve this in another way than using iptables. [snip] Is =E2=80=9Ccarrier-grade NAT=E2=80=9D no longer a thing? Also, users behind a NAT router/modem/whatever will run into issues, though t= hat=E2=80=99s maybe handled by excluding Locally connected networks as mentio= ned above? Tom --===============6775384365885573102==--