Re: NAT bypassing Firewall rules

Blocking illegal source IPs on WAN is fairly common. My list was incomplete though (was posting from my mobile)

 posted a more complete list in another thread:

UBNT-stig wrote:

 

irewall {
    group {
        network-group BOGONS {
            description "Invalid WAN networks"
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/3
        }
    }

 

---

Bogon IP addresses are used by hackers to confuse or even intrude a system.. Packets with a source IP from the above list hitting WAN is considered illegal and many firewalls out there block them on first sight and don't even bother to check for further matching/default drop.