config bcp38
	option enabled 0
	option interface 'eth1'
	option detect_upstream 1
	list match '127.0.0.0/8'
	list match '192.0.2.0/24'    # RFC 5737
	list match '198.51.100.0/24' # RFC 5737
	list match '203.0.113.0/24'  # RFC 5737
	list match '192.168.0.0/16'  # RFC 1918
	list match '10.0.0.0/8'      # RFC 1918
	list match '172.16.0.0/12'   # RFC 1918
	list match '169.254.0.0/16'  # RFC 3927

# 	list nomatch '172.26.0.0/21' # Example of something not to match
#	There is a dhcp trigger to do this for the netmask of a 
#	double natted connection needed

#       You can only specify IPv4 addresses here - for IPv6, only source
#       specific default routes will be installed, which achieves the same
#       without needing any firewall routes.

#	I will argue that this level of indirection doesn't scale
# 	very well - see how to block china as an example
#	http://www.okean.com/china.txt
