firewall: regressing in bogon blocking, we're blocking too many now..

PR: https://forum.opnsense.org/index.php?topic=3105.0

src/etc/bogons.sample

@@ -1,12 +1,8 @@
 0.0.0.0/8
-10.0.0.0/8
-100.64.0.0/10
 127.0.0.0/8
 169.254.0.0/16
-172.16.0.0/12
 192.0.0.0/24
 192.0.2.0/24
-192.168.0.0/16
 198.18.0.0/15
 198.51.100.0/24
 203.0.113.0/24

src/etc/inc/filter.inc

@@ -2580,7 +2580,14 @@ EOD;
     }
 
     foreach ($FilterIflist as $on => $oc) {
-      /* block bogon networks via http://www.cymru.com/Documents/bogon-bn-nonagg.txt */
+      /*
+       * Block bogon networks via the following list.  Note that "bogons"
+       * are excluding the four private address ranges for one reason or
+       * another.  They exist in the upstream files but are stripped during
+       * the upgrade stage.
+       *
+       * http://www.cymru.com/Documents/bogon-bn-nonagg.txt
+       */
       if (!isset($config['syslog']['nologbogons'])) {
           $bogonlog = 'log';
       } else {

src/etc/rc.update_bogons

@@ -89,7 +89,10 @@ if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DIS
 		ENTRIES_V4=`pfctl -vvsTables | awk '/-\tbogons$/ {getline; print $2}'`
 		LINES_V4=`wc -l /tmp/bogons | awk '{ print $1 }'`
 		if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V4:-0}+LINES_V4)) ]; then
-			egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /usr/local/etc/bogons
+			# These bogons are removed as they are private.  I'm not going
+			# to question this now, adding a big WARNING instead.  Here be
+			# dragons...
+			egrep -v "^100.64.0.0/10|^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /usr/local/etc/bogons
 			RESULT=`/sbin/pfctl -t bogons -T replace -f /usr/local/etc/bogons 2>&1`
 			echo "$RESULT" | awk '{ print "Bogons V4 file downloaded: " $0 }' | logger
 		else