* recent module in nftables
@ 2017-07-27 20:59 Perry Thompson
2017-07-27 21:46 ` /dev/rob0
2017-07-28 19:57 ` Martin Bednar
0 siblings, 2 replies; 5+ messages in thread
From: Perry Thompson @ 2017-07-27 20:59 UTC (permalink / raw)
To: netfilter
Hello all,
It may be way to early to ask this question, but I thought I might as
well see if anyone has any information on it.
Will the "recent" module or an option with a similar function be
introduced into nftables in the future? Are there any plans to create
something like this? It has always been a very good tool for keeping
bad IPs from touching my system.
Thank you.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: recent module in nftables
2017-07-27 20:59 recent module in nftables Perry Thompson
@ 2017-07-27 21:46 ` /dev/rob0
2017-07-27 22:18 ` James
2017-07-28 19:57 ` Martin Bednar
1 sibling, 1 reply; 5+ messages in thread
From: /dev/rob0 @ 2017-07-27 21:46 UTC (permalink / raw)
To: netfilter
On Thu, Jul 27, 2017 at 03:59:59PM -0500, Perry Thompson wrote:
> It may be way to early to ask this question, but I thought I might
> as well see if anyone has any information on it.
>
> Will the "recent" module or an option with a similar function be
> introduced into nftables in the future? Are there any plans to
> create something like this? It has always been a very good tool
> for keeping bad IPs from touching my system.
I don't know nftables yet, but I do know that ipset(8) and the set
match and the SET target can accomplish the same things recent does.
Also, I believe a set functionality exists in nftables.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: recent module in nftables
2017-07-27 21:46 ` /dev/rob0
@ 2017-07-27 22:18 ` James
0 siblings, 0 replies; 5+ messages in thread
From: James @ 2017-07-27 22:18 UTC (permalink / raw)
To: netfilter
>> It may be way to early to ask this question, but I thought I might
>> as well see if anyone has any information on it.
>>
>> Will the "recent" module or an option with a similar function be
>> introduced into nftables in the future? Are there any plans to
>> create something like this? It has always been a very good tool
>> for keeping bad IPs from touching my system.
>
> I don't know nftables yet, but I do know that ipset(8) and the set
> match and the SET target can accomplish the same things recent does.
> Also, I believe a set functionality exists in nftables.
>
How about the following? It's trimmed/sanitized from my full config (I hope
there are no typo's in this). Currently blocking ~4,000 addresses.
Separately, I use swatchd to extract addresses from log files and add them
to various other sets (that are not included in this extract) as my own take
on fail2ban.
nftables is great!
<--- snip --->
#!/usr/sbin/nft -f
flush ruleset
# flush table inet firewall
table inet firewall {
set v4autohole { type ipv4_addr; timeout 31d; }
set v6autohole { type ipv6_addr; timeout 31d; }
chain incoming {
type filter hook input priority 0; policy drop;
iifname lo accept
ct state { invalid } drop
ip saddr @v4blackhole drop
ip6 saddr @v6blackhole drop
ip protocol { icmp } icmp type { echo-request } accept
ip6 nexthdr { ipv6-icmp } icmpv6 type { echo-request } accept
ip6 nexthdr { ipv6-icmp } icmpv6 type { nd-router-advert, nd-redirect, nd-neighbor-advert, nd-neighbor-solicit } accept
ct state { new } tcp dport { ssh } accept
ct state { established, related } accept
# Following are some well-established public content-providing service ports that it is
# reasonable folks would go looking for so drop 'em but don't bother autoholing them
udp dport { dns, ntp } drop
tcp dport { ftp, smtp, dns, gopher, http, ntp, https } drop
# Drop everyone else into a deep dark hole for 31 days
meta protocol ip set add ip saddr @v4autohole
meta protocol ip6 set add ip6 saddr @v6autohole
}
chain forwarding {
type filter hook forward priority 0; policy drop;
}
chain outgoing {
type filter hook output priority 0; policy drop;
iifname lo accept
ip6 nexthdr { ipv6-icmp } icmpv6 type { echo-request, nd-neighbor-advert, nd-neighbor-solicit } accept
ct state { new, established, related } accept
}
}
<--- snip --->
--
- James
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: recent module in nftables
2017-07-27 20:59 recent module in nftables Perry Thompson
2017-07-27 21:46 ` /dev/rob0
@ 2017-07-28 19:57 ` Martin Bednar
2017-07-30 23:32 ` Perry Thompson
1 sibling, 1 reply; 5+ messages in thread
From: Martin Bednar @ 2017-07-28 19:57 UTC (permalink / raw)
To: Perry Thompson; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 773 bytes --]
On Thursday, 27 July 2017 22:59:59 CEST Perry Thompson wrote:
> Hello all,
>
> It may be way to early to ask this question, but I thought I might as
> well see if anyone has any information on it.
>
> Will the "recent" module or an option with a similar function be
> introduced into nftables in the future? Are there any plans to create
> something like this? It has always been a very good tool for keeping
> bad IPs from touching my system.
I think flow tables might fit the bill.
https://wiki.nftables.org/wiki-nftables/index.php/Flow_tables
I use them for filtering out SSH connection attempts, by allowing 3 SYN packets
per minute.
tcp dport ssh ct state new flow table ssh { iif . ip saddr . tcp dport timeout
1h limit rate 3/minute} accept
Cheers
Martin.
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: recent module in nftables
2017-07-28 19:57 ` Martin Bednar
@ 2017-07-30 23:32 ` Perry Thompson
0 siblings, 0 replies; 5+ messages in thread
From: Perry Thompson @ 2017-07-30 23:32 UTC (permalink / raw)
To: Martin Bednar; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1331 bytes --]
Thank you. I hadn't known about hashlimits and flow. While it is still
a bit different, this will work perfectly for what I need it to do.
I suppose from here I'd be curious to know if the "recent" module has
any benefits over "hashlimit" in iptables, and I suppose I'm still
curious to know if it plans on being implemented in nftables or left
out completely, if anyone knows.
Thank you,
On Fri, 28 Jul 2017 21:57:25 +0200
Martin Bednar <martin@serafean.cz> wrote:
> On Thursday, 27 July 2017 22:59:59 CEST Perry Thompson wrote:
> > Hello all,
> >
> > It may be way to early to ask this question, but I thought I might
> > as well see if anyone has any information on it.
> >
> > Will the "recent" module or an option with a similar function be
> > introduced into nftables in the future? Are there any plans to
> > create something like this? It has always been a very good tool for
> > keeping bad IPs from touching my system.
>
> I think flow tables might fit the bill.
> https://wiki.nftables.org/wiki-nftables/index.php/Flow_tables
>
> I use them for filtering out SSH connection attempts, by allowing 3
> SYN packets per minute.
>
> tcp dport ssh ct state new flow table ssh { iif . ip saddr . tcp
> dport timeout 1h limit rate 3/minute} accept
>
>
> Cheers
>
> Martin.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-07-30 23:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-27 20:59 recent module in nftables Perry Thompson
2017-07-27 21:46 ` /dev/rob0
2017-07-27 22:18 ` James
2017-07-28 19:57 ` Martin Bednar
2017-07-30 23:32 ` Perry Thompson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.