* recent module in nftables @ 2017-07-27 20:59 Perry Thompson 2017-07-27 21:46 ` /dev/rob0 2017-07-28 19:57 ` Martin Bednar 0 siblings, 2 replies; 5+ messages in thread From: Perry Thompson @ 2017-07-27 20:59 UTC (permalink / raw) To: netfilter Hello all, It may be way to early to ask this question, but I thought I might as well see if anyone has any information on it. Will the "recent" module or an option with a similar function be introduced into nftables in the future? Are there any plans to create something like this? It has always been a very good tool for keeping bad IPs from touching my system. Thank you. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: recent module in nftables 2017-07-27 20:59 recent module in nftables Perry Thompson @ 2017-07-27 21:46 ` /dev/rob0 2017-07-27 22:18 ` James 2017-07-28 19:57 ` Martin Bednar 1 sibling, 1 reply; 5+ messages in thread From: /dev/rob0 @ 2017-07-27 21:46 UTC (permalink / raw) To: netfilter On Thu, Jul 27, 2017 at 03:59:59PM -0500, Perry Thompson wrote: > It may be way to early to ask this question, but I thought I might > as well see if anyone has any information on it. > > Will the "recent" module or an option with a similar function be > introduced into nftables in the future? Are there any plans to > create something like this? It has always been a very good tool > for keeping bad IPs from touching my system. I don't know nftables yet, but I do know that ipset(8) and the set match and the SET target can accomplish the same things recent does. Also, I believe a set functionality exists in nftables. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: recent module in nftables 2017-07-27 21:46 ` /dev/rob0 @ 2017-07-27 22:18 ` James 0 siblings, 0 replies; 5+ messages in thread From: James @ 2017-07-27 22:18 UTC (permalink / raw) To: netfilter >> It may be way to early to ask this question, but I thought I might >> as well see if anyone has any information on it. >> >> Will the "recent" module or an option with a similar function be >> introduced into nftables in the future? Are there any plans to >> create something like this? It has always been a very good tool >> for keeping bad IPs from touching my system. > > I don't know nftables yet, but I do know that ipset(8) and the set > match and the SET target can accomplish the same things recent does. > Also, I believe a set functionality exists in nftables. > How about the following? It's trimmed/sanitized from my full config (I hope there are no typo's in this). Currently blocking ~4,000 addresses. Separately, I use swatchd to extract addresses from log files and add them to various other sets (that are not included in this extract) as my own take on fail2ban. nftables is great! <--- snip ---> #!/usr/sbin/nft -f flush ruleset # flush table inet firewall table inet firewall { set v4autohole { type ipv4_addr; timeout 31d; } set v6autohole { type ipv6_addr; timeout 31d; } chain incoming { type filter hook input priority 0; policy drop; iifname lo accept ct state { invalid } drop ip saddr @v4blackhole drop ip6 saddr @v6blackhole drop ip protocol { icmp } icmp type { echo-request } accept ip6 nexthdr { ipv6-icmp } icmpv6 type { echo-request } accept ip6 nexthdr { ipv6-icmp } icmpv6 type { nd-router-advert, nd-redirect, nd-neighbor-advert, nd-neighbor-solicit } accept ct state { new } tcp dport { ssh } accept ct state { established, related } accept # Following are some well-established public content-providing service ports that it is # reasonable folks would go looking for so drop 'em but don't bother autoholing them udp dport { dns, ntp } drop tcp dport { ftp, smtp, dns, gopher, http, ntp, https } drop # Drop everyone else into a deep dark hole for 31 days meta protocol ip set add ip saddr @v4autohole meta protocol ip6 set add ip6 saddr @v6autohole } chain forwarding { type filter hook forward priority 0; policy drop; } chain outgoing { type filter hook output priority 0; policy drop; iifname lo accept ip6 nexthdr { ipv6-icmp } icmpv6 type { echo-request, nd-neighbor-advert, nd-neighbor-solicit } accept ct state { new, established, related } accept } } <--- snip ---> -- - James ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: recent module in nftables 2017-07-27 20:59 recent module in nftables Perry Thompson 2017-07-27 21:46 ` /dev/rob0 @ 2017-07-28 19:57 ` Martin Bednar 2017-07-30 23:32 ` Perry Thompson 1 sibling, 1 reply; 5+ messages in thread From: Martin Bednar @ 2017-07-28 19:57 UTC (permalink / raw) To: Perry Thompson; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 773 bytes --] On Thursday, 27 July 2017 22:59:59 CEST Perry Thompson wrote: > Hello all, > > It may be way to early to ask this question, but I thought I might as > well see if anyone has any information on it. > > Will the "recent" module or an option with a similar function be > introduced into nftables in the future? Are there any plans to create > something like this? It has always been a very good tool for keeping > bad IPs from touching my system. I think flow tables might fit the bill. https://wiki.nftables.org/wiki-nftables/index.php/Flow_tables I use them for filtering out SSH connection attempts, by allowing 3 SYN packets per minute. tcp dport ssh ct state new flow table ssh { iif . ip saddr . tcp dport timeout 1h limit rate 3/minute} accept Cheers Martin. [-- Attachment #2: This is a digitally signed message part. --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: recent module in nftables 2017-07-28 19:57 ` Martin Bednar @ 2017-07-30 23:32 ` Perry Thompson 0 siblings, 0 replies; 5+ messages in thread From: Perry Thompson @ 2017-07-30 23:32 UTC (permalink / raw) To: Martin Bednar; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 1331 bytes --] Thank you. I hadn't known about hashlimits and flow. While it is still a bit different, this will work perfectly for what I need it to do. I suppose from here I'd be curious to know if the "recent" module has any benefits over "hashlimit" in iptables, and I suppose I'm still curious to know if it plans on being implemented in nftables or left out completely, if anyone knows. Thank you, On Fri, 28 Jul 2017 21:57:25 +0200 Martin Bednar <martin@serafean.cz> wrote: > On Thursday, 27 July 2017 22:59:59 CEST Perry Thompson wrote: > > Hello all, > > > > It may be way to early to ask this question, but I thought I might > > as well see if anyone has any information on it. > > > > Will the "recent" module or an option with a similar function be > > introduced into nftables in the future? Are there any plans to > > create something like this? It has always been a very good tool for > > keeping bad IPs from touching my system. > > I think flow tables might fit the bill. > https://wiki.nftables.org/wiki-nftables/index.php/Flow_tables > > I use them for filtering out SSH connection attempts, by allowing 3 > SYN packets per minute. > > tcp dport ssh ct state new flow table ssh { iif . ip saddr . tcp > dport timeout 1h limit rate 3/minute} accept > > > Cheers > > Martin. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-07-30 23:32 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-07-27 20:59 recent module in nftables Perry Thompson 2017-07-27 21:46 ` /dev/rob0 2017-07-27 22:18 ` James 2017-07-28 19:57 ` Martin Bednar 2017-07-30 23:32 ` Perry Thompson
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.