|
|
@ -1,4 +1,4 @@ |
|
|
# $OpenBSD: bgpd.conf,v 1.10 2010/10/13 08:27:44 sthen Exp $ |
|
|
|
|
|
|
|
|
# $OpenBSD: bgpd.conf,v 1.11 2010/11/28 17:11:43 claudio Exp $ |
|
|
# sample bgpd configuration file |
|
|
# sample bgpd configuration file |
|
|
# see bgpd.conf(5) |
|
|
# see bgpd.conf(5) |
|
|
|
|
|
|
|
|
@ -77,18 +77,35 @@ neighbor 10.2.1.1 { |
|
|
aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b |
|
|
aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
# filter out prefixes longer than 24 or shorter than 8 bits |
|
|
|
|
|
|
|
|
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4 |
|
|
|
|
|
# and longer than 48 or shorter than 16 bits for IPv6. |
|
|
deny from any |
|
|
deny from any |
|
|
allow from any inet prefixlen 8 - 24 |
|
|
allow from any inet prefixlen 8 - 24 |
|
|
|
|
|
allow from any inet6 prefixlen 16 - 48 |
|
|
|
|
|
|
|
|
# accept a default route (since the previous rule blocks this) |
|
|
# accept a default route (since the previous rule blocks this) |
|
|
#allow from any prefix 0.0.0.0/0 |
|
|
#allow from any prefix 0.0.0.0/0 |
|
|
|
|
|
|
|
|
# filter bogus networks |
|
|
|
|
|
|
|
|
# filter bogus networks according to RFC5735 |
|
|
|
|
|
deny from any prefix 0.0.0.0/8 prefixlen >= 8 |
|
|
deny from any prefix 10.0.0.0/8 prefixlen >= 8 |
|
|
deny from any prefix 10.0.0.0/8 prefixlen >= 8 |
|
|
deny from any prefix 172.16.0.0/12 prefixlen >= 12 |
|
|
|
|
|
deny from any prefix 192.168.0.0/16 prefixlen >= 16 |
|
|
|
|
|
|
|
|
deny from any prefix 127.0.0.0/8 prefixlen >= 8 |
|
|
deny from any prefix 169.254.0.0/16 prefixlen >= 16 |
|
|
deny from any prefix 169.254.0.0/16 prefixlen >= 16 |
|
|
|
|
|
deny from any prefix 172.16.0.0/12 prefixlen >= 12 |
|
|
deny from any prefix 192.0.2.0/24 prefixlen >= 24 |
|
|
deny from any prefix 192.0.2.0/24 prefixlen >= 24 |
|
|
|
|
|
deny from any prefix 192.168.0.0/16 prefixlen >= 16 |
|
|
|
|
|
deny from any prefix 198.18.0.0/15 prefixlen >= 15 |
|
|
|
|
|
deny from any prefix 198.51.100.0/24 prefixlen >= 24 |
|
|
|
|
|
deny from any prefix 203.0.113.0/24 prefixlen >= 24 |
|
|
deny from any prefix 224.0.0.0/4 prefixlen >= 4 |
|
|
deny from any prefix 224.0.0.0/4 prefixlen >= 4 |
|
|
deny from any prefix 240.0.0.0/4 prefixlen >= 4 |
|
|
deny from any prefix 240.0.0.0/4 prefixlen >= 4 |
|
|
|
|
|
|
|
|
|
|
|
# filter bogus IPv6 networks according to IANA |
|
|
|
|
|
deny from any prefix ::/8 prefixlen >= 8 |
|
|
|
|
|
deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849] |
|
|
|
|
|
deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843] |
|
|
|
|
|
deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone |
|
|
|
|
|
deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast |
|
|
|
|
|
deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast |
|
|
|
|
|
deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast |
|
|
|
|
|
deny from any prefix ff00::/8 prefixlen >= 8 # multicast |
claudio
14 years ago