In FreeBSD example ipfilter setting, I can see that
requests from
192.168.0.0/16 are blocked (referening RFC1918)
This seems to impose a nuisance on some private network intercom, so I comment it out.
Then I want to allow, say, pings from the local hosts;
I do it by allowing incoming pings from
192.168.0.0/24.
Is there a security risk doing it like this? This notation basically includes the router too, but as I understand it, it will not allow source addresses from the WAN side.
Yes and no. It is a nuisance for internal traffic for machines that are internal.
It is NOT a nuisance on the external port per dinition. Those are PRIVATE IP addresses by definition. Which means they should not exist and talk to my servers from outside my company. PERIOD. So, blocking them is BEST PRACTICE. Tons of stupid providers not blocking them. Been there, seen that happen. Any external gateway should block the 3 internal ip address blocks.
I can only assume the FreeBSD "default" assumes a server on the internet / in a data center. Besides being meant to be adjusted - it should deny possible access from private IP addresses.