On Oct 14, 2021, at 2:28 PM, Michael Tremer michael.tremer@ipfire.org wrote:
Hello,
On 13 Oct 2021, at 17:21, Peter Müller peter.mueller@ipfire.org wrote:
[ snip]
Yes. My imagination of bug #12031 is to have three new checkboxes on the firewall options CGI to drop all traffic from and to (a) IP networks not being globally routable ("martians")
[snip]
(a) is something we (I) can implement straight away. As soon as this patch has been merged,
(a) will need a lot of exceptions:
- Networks that are locally connected (GREEN, BLUE, ORANGE, RED)
- All VPNs (OpenVPN, IPsec, H2N and N2N)
- All static routes
- Maybe some SNAT/DNAT rules?
These will have to be auto-generated and not bother the admins.
Maybe it would be better to solve this in another way than using iptables.
[snip]
Is “carrier-grade NAT” no longer a thing?
Also, users behind a NAT router/modem/whatever will run into issues, though that’s maybe handled by excluding Locally connected networks as mentioned above?
Tom