Marc wrote:
> I still need to get familiar with nft. Currently I am using ipset
NFT has an equivalent -- also called a set. Here are excerpts from my
configuration that show how addresses and ranges appear in a set and how a set
is blocked.
Defining the set of real-time intrusions:
set SET_IPV4_MAIN_TEMPBLOCK {
type ipv4_addr
flags timeout
elements = { 1.0.171.2, 1.1.110.108, [...], 223.255.161.190 }
}
Dropping traffic that matches the set:
chain CHAIN_INET_MAIN_INBOUND {
type filter hook input priority 0; policy drop;
ip saddr @SET_IPV4_MAIN_TEMPBLOCK drop
[...]
}
Defining a set of geolocated address blocks:
set SET_GEO_IPV4_RU {
type ipv4_addr
flags interval
elements = { 2.16.20.0/23, [...], 217.199.236.0-217.199.254.255 }
}
Dropping traffic that matches such a set:
chain CHAIN_GEO_IPV4 {
type filter hook input priority -300; policy accept;
[...]
ip saddr @SET_GEO_IPV4_CN drop
[...]
ip saddr @SET_GEO_IPV4_RU drop
[...]
}
The configuration for IPv6 is analogous.
Marc wrote:
> I am looking for something that can do this automatically.
I have all this scripted and scheduled. It's hands-off, except that I look at
reports from time to time, to see if there is a new intrusion pattern I should
be detecting.
Marc wrote:
> Afaik was ipset very good with latency. I have no idea how this is replaced.
According to what I have read, NFT beats the IP firewall in benchmarks. But I
have not tested it at scale. Personally I can only say the NFT filter is much
faster than I need it to be. The amount of CPU it costs is so small I cannot
measure it. So I do not see it contributing measurably to latency.
--
Cheers!
Edward
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
