diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall
index 543c91a9c258f98117df737591f605ee46dff31a..76ab582165e782eb1414abb82927747c3969221b 100755
--- a/src/freedombone-utils-firewall
+++ b/src/freedombone-utils-firewall
@@ -44,6 +44,49 @@ function save_firewall_settings {
     fi
 }
 
+function firewall_block_bad_ip_ranges {
+    if [ $INSTALLING_MESH ]; then
+        return
+    fi
+    if [[ $(is_completed $FUNCNAME) == "1" ]]; then
+        return
+    fi
+
+    # There are various blocklists out there, but they're difficult
+    # to verify. Indiscriminately blocking ranges without evidence
+    # would be a bad idea.
+
+    # From Wikipedia and elsewhere: US military addresses
+    iptables -A INPUT -s 6.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 6.0.0.0/8 -j DROP
+    iptables -A INPUT -s 7.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 7.0.0.0/8 -j DROP
+    iptables -A INPUT -s 11.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 11.0.0.0/8 -j DROP
+    iptables -A INPUT -s 21.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 21.0.0.0/8 -j DROP
+    iptables -A INPUT -s 22.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 22.0.0.0/8 -j DROP
+    iptables -A INPUT -s 26.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 26.0.0.0/8 -j DROP
+    iptables -A INPUT -s 28.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 28.0.0.0/8 -j DROP
+    iptables -A INPUT -s 29.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 29.0.0.0/8 -j DROP
+    iptables -A INPUT -s 30.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 30.0.0.0/8 -j DROP
+    iptables -A INPUT -s 33.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 33.0.0.0/8 -j DROP
+    iptables -A INPUT -s 55.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 55.0.0.0/8 -j DROP
+    iptables -A INPUT -s 214.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 214.0.0.0/8 -j DROP
+    iptables -A INPUT -s 215.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 215.0.0.0/8 -j DROP
+    save_firewall_settings
+    mark_completed $FUNCNAME
+}
+
 function global_rate_limit {
     if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
         echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup
index 3f04ddef339f9d81d287d026a1ec7c80675f445e..7f55c8828cb1404d2f106d36e772752c9b6d0067 100755
--- a/src/freedombone-utils-setup
+++ b/src/freedombone-utils-setup
@@ -566,6 +566,9 @@ function setup_firewall {
 
     function_check global_rate_limit
     global_rate_limit
+
+    function_check firewall_block_bad_ip_ranges
+    firewall_block_bad_ip_ranges
 }
 
 function setup_utils {