Deny rule that blocks all traffic from all private address spaces that is inbound to a public interface:
IpFilterRule deny-private
{
IpSourceAddrGroupRef PrivateAddrs
IpDestAddr all
IpService
{
SourcePortRange 0
DestinationPortRange 0
Protocol all
Direction inbound
Routing either
SecurityClass 0
}
IpGenericFilterActionRef deny-log
}
The IpSourceAddrGroupRef parameter references an IP address group that is presumed to be defined elsewhere, in either the common or the stack-specific IP security configuration file:
IpAddrGroup PrivateAddrs
{
IpAddrSet
{
Prefix 10.0.0.0/8
}
IpAddrSet
{
Prefix 172.16.0.0/12
}
IpAddrSet
{
Range 192.168.0.0-192.168.255.255
}
}
The IpGenericFilterActionRef parameter references an IpGenericFilterAction statement that is presumed to be defined elsewhere, in either the common or the stack-specific IP security configuration file:
IpGenericFilterAction deny-log
{
IpFilterAction deny
IpFilterLogging yes
}