diff --git a/src/etc/bgpd.conf b/src/etc/bgpd.conf index f111fdd5..29610dc5 100644 --- a/src/etc/bgpd.conf +++ b/src/etc/bgpd.conf @@ -1,4 +1,4 @@ -# $OpenBSD: bgpd.conf,v 1.10 2010/10/13 08:27:44 sthen Exp $ +# $OpenBSD: bgpd.conf,v 1.11 2010/11/28 17:11:43 claudio Exp $ # sample bgpd configuration file # see bgpd.conf(5) @@ -77,18 +77,35 @@ neighbor 10.2.1.1 { aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b } -# filter out prefixes longer than 24 or shorter than 8 bits +# filter out prefixes longer than 24 or shorter than 8 bits for IPv4 +# and longer than 48 or shorter than 16 bits for IPv6. deny from any allow from any inet prefixlen 8 - 24 +allow from any inet6 prefixlen 16 - 48 # accept a default route (since the previous rule blocks this) #allow from any prefix 0.0.0.0/0 -# filter bogus networks +# filter bogus networks according to RFC5735 +deny from any prefix 0.0.0.0/8 prefixlen >= 8 deny from any prefix 10.0.0.0/8 prefixlen >= 8 -deny from any prefix 172.16.0.0/12 prefixlen >= 12 -deny from any prefix 192.168.0.0/16 prefixlen >= 16 +deny from any prefix 127.0.0.0/8 prefixlen >= 8 deny from any prefix 169.254.0.0/16 prefixlen >= 16 +deny from any prefix 172.16.0.0/12 prefixlen >= 12 deny from any prefix 192.0.2.0/24 prefixlen >= 24 +deny from any prefix 192.168.0.0/16 prefixlen >= 16 +deny from any prefix 198.18.0.0/15 prefixlen >= 15 +deny from any prefix 198.51.100.0/24 prefixlen >= 24 +deny from any prefix 203.0.113.0/24 prefixlen >= 24 deny from any prefix 224.0.0.0/4 prefixlen >= 4 deny from any prefix 240.0.0.0/4 prefixlen >= 4 + +# filter bogus IPv6 networks according to IANA +deny from any prefix ::/8 prefixlen >= 8 +deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849] +deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843] +deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone +deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast +deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast +deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast +deny from any prefix ff00::/8 prefixlen >= 8 # multicast