[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] externals/nftables-mode 8b6ccea869 18/41: fixup! Got the IPS work
|
From: |
Stefan Monnier |
|
Subject: |
[elpa] externals/nftables-mode 8b6ccea869 18/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha! |
|
Date: |
Mon, 23 May 2022 09:27:23 -0400 (EDT) |
branch: externals/nftables-mode
commit 8b6ccea869bd80669f97fbac1c5b303071cec674
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>
fixup! Got the IPS working at last (inc IPv6), mua ha ha!
---
nftables-router.nft | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/nftables-router.nft b/nftables-router.nft
index add19400c3..c7c6f6d26b 100644
--- a/nftables-router.nft
+++ b/nftables-router.nft
@@ -386,6 +386,11 @@ table inet my_filter {
## The alternative is to run this (relatively expensive)
## check on EVERY packet, instead of once per flow.
##
+ ## You can see the current state of the list with:
+ ##
+ ## nft list set inet my_filter my_IPS_IPv4_blacklist
+ ## nft list set inet my_filter my_IPS_IPv6_blacklist
+ ##
## I recommend:
##
## * this IPS for low-rate (SSH w/ ControlMaster) and unused (FTP, RDP)
services,
@@ -420,9 +425,9 @@ table inet my_filter {
add @my_IPS_IPv6_blacklist { ip6 saddr } \
log level audit log prefix "Blacklist SRC: "
- # If someone is NOT whitelisted, and IS blacklisted, then drop their
connection, AND reset their countdown.
+ # If someone is NOT whitelisted, and IS blacklisted, then drop their
connection, AND reset their countdown (hence "update" not "add").
# In other words, once blacklisted for brute-forcing SSH, you REMAIN
blacklisted until you STFU for a while (on ALL ports).
- ip saddr != @my_IPS_IPv4_whitelist ip saddr @my_IPS_IPv4_blacklist
update @my_IPS_IPv4_blacklist { ip saddr } drop
+ ip saddr != @my_IPS_IPv4_whitelist ip saddr @my_IPS_IPv4_blacklist
update @my_IPS_IPv4_blacklist { ip saddr } drop
ip6 saddr != @my_IPS_IPv6_whitelist ip6 saddr @my_IPS_IPv6_blacklist
update @my_IPS_IPv6_blacklist { ip6 saddr } drop
}
- [elpa] branch externals/nftables-mode created (now 05600129ee), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 103844fb41 07/41: move the ICMPv6 policy to a separate named map, so it's out of the way, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 8b6ccea869 18/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha!,
Stefan Monnier <=
- [elpa] externals/nftables-mode 3e71d87a8c 23/41: Chuck out the stateless vmap example from the "simple version" firewall, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode bf11cb5fec 06/41: merge the RFC4890 input and forward vmaps into a single common vmap, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 78a1a48898 04/41: cannot reject as default policy, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7350707c88 12/41: forked from nftables-host.nft, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode b466c545f5 14/41: Example NAT rules (load OK, but haven't actually tested packets going through them), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode b2991ce112 05/41: Notes from RFC4890 (separate vmaps initially), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode f354d71598 13/41: break prologue (nee PRELUDE) out of input, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 35e908d774 03/41: just a backup copy in case I lose the original somewhere, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 14856f12c1 20/41: more notes, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 6fbf0a5557 01/41: Update iptab imports from twb's personal git repo., Stefan Monnier, 2022/05/23