rezo
/
firewall
30
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 Commits
1 Branch
0 Tags
130 KiB
 
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
firewall/config/ddos_mitigation.nft

64 lines
1.3 KiB
Raw Permalink Blame History

table netdev ddos_mitigation{
# Banned addresses (for example with fail2ban)
set banned_ipv4{
type ipv4_addr
flags timeout
}
set banned_ipv6{
type ipv6_addr
flags timeout
}
# Bogons IP retrieved from a bogon list
set bogon_ipv4 {
type ipv4_addr
flags interval
elements={ 0.0.0.0/8 }
}
set bogon_ipv6 {
type ipv6_addr
flags interval
elements={ ::/8 }
}
# Private addresses
set private_ipv4{
type ipv4_addr
flags interval, constant
elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
}
set private_ipv6{
type ipv6_addr
flags interval, constant
elements = { fc00::/7 }
}
chain bogon_wan{
# Block bogon networks on the wan interface
# (Not assigned by IANA + RFC 1918 + RFC 4193)
type filter hook ingress device wan priority -500
policy accept
ip saddr @bogon_ipv4 counter drop
ip saddr @private_ipv4 counter drop
ip saddr @banned_ipv4 counter drop
ip6 saddr @bogon_ipv6 counter drop
ip6 saddr @private_ipv6 counter drop
ip6 saddr @banned_ipv6 counter drop
}
chain bogon_lan{
# Block bogon networks on the lan interface
# (Not assigned by IANA)
type filter hook ingress device lan priority -500
policy accept
ip saddr @bogon_ipv4 counter drop
ip6 saddr @bogon_ipv6 counter drop
}
}