--- /dev/null
+config bcp38
+ option enabled 1
+ option interface 'ge00'
+ option detect_upstream 1
+ list match '127.0.0.0/8'
+ list match '0.0.0.0/8' # RFC 1700
+ list match '240.0.0.0/4' # RFC 5745
+ list match '192.0.2.0/24' # RFC 5737
+ list match '198.51.100.0/24' # RFC 5737
+ list match '203.0.113.0/24' # RFC 5737
+ list match '192.168.0.0/16' # RFC 1918
+ list match '10.0.0.0/8' # RFC 1918
+ list match '172.16.0.0/12' # RFC 1918
+ list match '169.254.0.0/16' # RFC 3927
+
+# list nomatch '172.26.0.0/21' # Example of something not to match
+# There is a dhcp trigger to do this for the netmask of a
+# double natted connection needed
+
+# I will argue that this level of indirection doesn't scale
+# very well - see how to block china as an example
+# http://www.okean.com/china.txt