From cb79f7ef704fdda6cd04ee67a4dc6b719eb3bb53 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Tue, 28 Jan 2025 09:14:48 +0300
Subject: [PATCH] roles/common: minor change to firehol update script

They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
---
 roles/common/templates/update-firehol-nftables.sh.j2 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/roles/common/templates/update-firehol-nftables.sh.j2 b/roles/common/templates/update-firehol-nftables.sh.j2
index 0186e3e..ae2ce41 100755
--- a/roles/common/templates/update-firehol-nftables.sh.j2
+++ b/roles/common/templates/update-firehol-nftables.sh.j2
@@ -28,11 +28,14 @@ if [[ -f "firehol_level1.netset" ]]; then
     firehol_level1_ipv4_list_temp=$(mktemp)
     firehol_level1_ipv4_set_temp=$(mktemp)
 
-    # Filter blank lines and comments
+    # Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
+    # for local services like systemd-resolved and others on localhost. Ideally
+    # these are blocked already at the WAN side by network administrators.
     cat firehol_level1.netset \
         | sed \
             -e '/^$/d' \
             -e '/^#.*/d' \
+            -e '/^127\.0\.0\.0\/8/d' \
         > "$firehol_level1_ipv4_list_temp"
 
     echo "Building firehol_level1-ipv4 set"