config bcp38 option enabled 0 option interface 'eth1' option detect_upstream 1 list match '127.0.0.0/8' list match '192.0.2.0/24' # RFC 5737 list match '198.51.100.0/24' # RFC 5737 list match '203.0.113.0/24' # RFC 5737 list match '192.168.0.0/16' # RFC 1918 list match '10.0.0.0/8' # RFC 1918 list match '172.16.0.0/12' # RFC 1918 list match '169.254.0.0/16' # RFC 3927 # list nomatch '172.26.0.0/21' # Example of something not to match # There is a dhcp trigger to do this for the netmask of a # double natted connection needed # You can only specify IPv4 addresses here - for IPv6, only source # specific default routes will be installed, which achieves the same # without needing any firewall routes. # I will argue that this level of indirection doesn't scale # very well - see how to block china as an example # http://www.okean.com/china.txt