64 lines
1.3 KiB
Plaintext
64 lines
1.3 KiB
Plaintext
|
table netdev ddos_mitigation{
|
||
|
|
||
|
# Banned addresses (for example with fail2ban)
|
||
|
set banned_ipv4{
|
||
|
type ipv4_addr
|
||
|
flags timeout
|
||
|
}
|
||
|
|
||
|
set banned_ipv6{
|
||
|
type ipv6_addr
|
||
|
flags timeout
|
||
|
}
|
||
|
|
||
|
# Bogons IP retrieved from a bogon list
|
||
|
set bogon_ipv4 {
|
||
|
type ipv4_addr
|
||
|
flags interval
|
||
|
elements={ 0.0.0.0/8 }
|
||
|
}
|
||
|
|
||
|
set bogon_ipv6 {
|
||
|
type ipv6_addr
|
||
|
flags interval
|
||
|
elements={ ::/8 }
|
||
|
}
|
||
|
|
||
|
# Private addresses
|
||
|
set private_ipv4{
|
||
|
type ipv4_addr
|
||
|
flags interval, constant
|
||
|
elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
|
||
|
}
|
||
|
|
||
|
set private_ipv6{
|
||
|
type ipv6_addr
|
||
|
flags interval, constant
|
||
|
elements = { fc00::/7 }
|
||
|
}
|
||
|
|
||
|
chain bogon_wan{
|
||
|
# Block bogon networks on the wan interface
|
||
|
# (Not assigned by IANA + RFC 1918 + RFC 4193)
|
||
|
type filter hook ingress device wan priority -500
|
||
|
policy accept
|
||
|
|
||
|
ip saddr @bogon_ipv4 counter drop
|
||
|
ip saddr @private_ipv4 counter drop
|
||
|
ip saddr @banned_ipv4 counter drop
|
||
|
|
||
|
ip6 saddr @bogon_ipv6 counter drop
|
||
|
ip6 saddr @private_ipv6 counter drop
|
||
|
ip6 saddr @banned_ipv6 counter drop
|
||
|
}
|
||
|
|
||
|
chain bogon_lan{
|
||
|
# Block bogon networks on the lan interface
|
||
|
# (Not assigned by IANA)
|
||
|
type filter hook ingress device lan priority -500
|
||
|
policy accept
|
||
|
|
||
|
ip saddr @bogon_ipv4 counter drop
|
||
|
ip6 saddr @bogon_ipv6 counter drop
|
||
|
}
|
||
|
}
|