From 1afc3a5de567c0d0887c601334af596a4c88a840 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Fri, 21 Oct 2022 13:37:38 +0200
Subject: [PATCH] Block outgoing traffic to local networks by default

Some software, e.g. go-ipfs, is rather aggressive in scanning local
networks for peers, which can trigger abuse reports and IP locks in the
data center.
---
 site-cookbooks/kosmos_kvm/recipes/host.rb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/site-cookbooks/kosmos_kvm/recipes/host.rb b/site-cookbooks/kosmos_kvm/recipes/host.rb
index 5e7776f..702451a 100644
--- a/site-cookbooks/kosmos_kvm/recipes/host.rb
+++ b/site-cookbooks/kosmos_kvm/recipes/host.rb
@@ -32,3 +32,19 @@ firewall_rule 'ssh-alt-port' do
   protocol :tcp
   command  :allow
 end
+
+%w{
+  10.0.0.0/8
+  172.16.0.0/12
+  192.168.0.0/16
+  100.64.0.0/10
+}.each do |ip|
+  firewall_rule "unauthorized-private-network-#{ip}" do
+    interface "enp35s0"
+    destination ip
+    direction :out
+    protocol :none
+    command  :deny
+    logging :connections
+  end
+end