Browse Source

Update example filterset to include a basic IPv6 filterset.

While there extend the current IPv4 filterset.
OK sthen@, henning@
OPENBSD_4_9
claudio 14 years ago
parent
commit
48f09b7f57
1 changed files with 22 additions and 5 deletions
  1. +22
    -5
      src/etc/bgpd.conf

+ 22
- 5
src/etc/bgpd.conf View File

@ -1,4 +1,4 @@
# $OpenBSD: bgpd.conf,v 1.10 2010/10/13 08:27:44 sthen Exp $
# $OpenBSD: bgpd.conf,v 1.11 2010/11/28 17:11:43 claudio Exp $
# sample bgpd configuration file # sample bgpd configuration file
# see bgpd.conf(5) # see bgpd.conf(5)
@ -77,18 +77,35 @@ neighbor 10.2.1.1 {
aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
} }
# filter out prefixes longer than 24 or shorter than 8 bits
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6.
deny from any deny from any
allow from any inet prefixlen 8 - 24 allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48
# accept a default route (since the previous rule blocks this) # accept a default route (since the previous rule blocks this)
#allow from any prefix 0.0.0.0/0 #allow from any prefix 0.0.0.0/0
# filter bogus networks
# filter bogus networks according to RFC5735
deny from any prefix 0.0.0.0/8 prefixlen >= 8
deny from any prefix 10.0.0.0/8 prefixlen >= 8 deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 127.0.0.0/8 prefixlen >= 8
deny from any prefix 169.254.0.0/16 prefixlen >= 16 deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.0.2.0/24 prefixlen >= 24 deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 198.18.0.0/15 prefixlen >= 15
deny from any prefix 198.51.100.0/24 prefixlen >= 24
deny from any prefix 203.0.113.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4 deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4 deny from any prefix 240.0.0.0/4 prefixlen >= 4
# filter bogus IPv6 networks according to IANA
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849]
deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8 # multicast

Loading…
Cancel
Save