###################
# Firewall rules
# simplistic ingress filtering
###################

  # don't accept broadcast source addy
  # don't log
$IPT -t filter -A INPUT -i $EXT -s 255.255.255.255 -j DROP

  # sanity check (the packet is destined for us, right?)
  # turn this off if trying to sniff
  #  college network is stupid, don't log
$IPT -t filter -A INPUT -i $EXT -d ! $EXT_IP -j DROP

  # RFC-designated internal-only addresses, block these
$IPT -t filter -A INPUT -i $EXT -s 10.0.0.0/8 -j LOG
$IPT -t filter -A INPUT -i $EXT -s 10.0.0.0/8 -j DROP
$IPT -t filter -A INPUT -i $EXT -s 172.16.0.0/12 -j LOG
$IPT -t filter -A INPUT -i $EXT -s 172.16.0.0/12 -j DROP
$IPT -t filter -A INPUT -i $EXT -s 192.168.0.0/16 -j LOG
$IPT -t filter -A INPUT -i $EXT -s 192.168.0.0/16 -j DROP