diff --git a/site-cookbooks/kosmos_kvm/recipes/host.rb b/site-cookbooks/kosmos_kvm/recipes/host.rb
index 5e7776f..4e833e2 100644
--- a/site-cookbooks/kosmos_kvm/recipes/host.rb
+++ b/site-cookbooks/kosmos_kvm/recipes/host.rb
@@ -32,3 +32,18 @@ firewall_rule 'ssh-alt-port' do
   protocol :tcp
   command  :allow
 end
+
+%w{
+  10.0.0.0/8
+  172.16.0.0/12
+  192.168.0.0/16
+  100.64.0.0/10
+}.each do |ip|
+  firewall_rule "unauthorized-private-network-#{ip}" do
+    interface "enp35s0"
+    destination ip
+    direction :out
+    protocol :none
+    command  :deny
+  end
+end