firewall: CGN seems to be valid... for discussion

PR: #2880
opnsense · Nov 11, 2018 · fba9b8a · fba9b8a
1 parent 623db5c
commit fba9b8a
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 8 deletions.
diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
@@ -273,8 +273,7 @@ function filter_core_rules_system($fw, $defaults)
     // block bogons and private nets
     $bogontmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologbogons']), 'disablereplyto' => 1);
     $privtmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologprivatenets']),
-      'from' => '10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16',
-      'disablereplyto' => 1);
+      'from' => '10.0.0.0/8,127.0.0.0/8,172.16.0.0/12,192.168.0.0/16', 'disablereplyto' => 1);
     foreach ($fw->getInterfaceMapping() as $intf => $intfinfo) {
         $fw->registerFilterRule(5,
           array('from' => "<bogons>", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet',

diff --git a/src/etc/inc/plugins.inc.d/unbound.inc b/src/etc/inc/plugins.inc.d/unbound.inc
@@ -137,7 +137,6 @@ function unbound_generate_config()
 #
 private-address: 0.0.0.0/8       # Broadcast address
 private-address: 10.0.0.0/8
-private-address: 100.64.0.0/10
 private-address: 127.0.0.0/8     # Loopback Localhost
 private-address: 169.254.0.0/16
 private-address: 172.16.0.0/12

diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
@@ -1049,11 +1049,12 @@ function ip_in_subnet($addr,$subnet)
 
 function is_private_ip($iptocheck)
 {
-    foreach(array("10.0.0.0/8", "100.64.0.0/10", "172.16.0.0/12", "192.168.0.0/16") as $private) {
-        if (ip_in_subnet($iptocheck,$private)==true) {
+    foreach(array('10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16') as $private) {
+        if (ip_in_subnet($iptocheck, $private)) {
             return true;
         }
     }
+
     return false;
 }
 

diff --git a/src/opnsense/scripts/filter/update_bogons.sh b/src/opnsense/scripts/filter/update_bogons.sh
@@ -56,9 +56,7 @@ ENTRIES_TOT=`pfctl -vvsTables | awk '/Addresses/ {s+=$2}; END {print s}'`
 ENTRIES_V4=`pfctl -vvsTables | awk '/-\tbogons$/ {getline; print $2}'`
 LINES_V4=`wc -l ${WORKDIR}/fullbogons-ipv4.txt | awk '{ print $1 }'`
 if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V4:-0}+LINES_V4)) ]; then
-    # These bogons are removed as they are private.  I'm not going
-    # to question this now, adding a big WARNING instead.  Here be
-    # dragons...
+    # the following networks are removed as they are considered non-bogon:
     egrep -v "^100.64.0.0/10|^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" ${WORKDIR}/fullbogons-ipv4.txt > ${DESTDIR}/bogons
     RESULT=`/sbin/pfctl -t bogons -T replace -f ${DESTDIR}/bogons 2>&1`
     echo "$RESULT" | awk '{ print "Bogons V4 file downloaded: " $0 }' | logger