diff --git a/src/etc/examples/bgpd.conf b/src/etc/examples/bgpd.conf
index 7c80bfb4..95bc3041 100644
--- a/src/etc/examples/bgpd.conf
+++ b/src/etc/examples/bgpd.conf
@@ -1,4 +1,4 @@
-# $OpenBSD: bgpd.conf,v 1.5 2017/07/04 09:33:36 job Exp $
+# $OpenBSD: bgpd.conf,v 1.6 2017/08/12 17:39:51 job Exp $
 # sample bgpd configuration file
 # see bgpd.conf(5)
 
@@ -77,9 +77,17 @@ neighbor 10.2.1.1 {
 	    aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
 }
 
+# do not send or use routes from EBGP neighbors without
+# further explicit configuration
+deny from ebgp
+deny to ebgp
+
+# allow updates to and from IBGP neighbors
+allow from ibgp
+allow to ibgp
+
 # filter out prefixes longer than 24 or shorter than 8 bits for IPv4
 # and longer than 48 or shorter than 16 bits for IPv6.
-deny from any
 allow from any inet prefixlen 8 - 24
 allow from any inet6 prefixlen 16 - 48