All of lore.kernel.org
 help / color / mirror / Atom feed
From: Randy Bush <randy@psg.com>
To: "Kerin Millar" <kfm@plushkava.net>
Cc: netfilter@vger.kernel.org
Subject: Re: prefix len confusion
Date: Tue, 09 Jun 2026 18:32:36 -0700	[thread overview]
Message-ID: <m2zf1318p7.wl-randy@psg.com> (raw)
In-Reply-To: <6fcf67b9-4fee-4b1c-85f1-597afff788ba@app.fastmail.com>

>> sorry for being insufficiently explicit
>>
>> the ssh attacker is getting through to 42.642.11.82, which is a piece of
>> hardware, not a vm.  it is the ssh port of a hardware switch whose
>> security profile i prefer not to expose to attackers.
>>
>>     define VULN4 = {
>> 	42.642.11.34/31,
>> 	42.642.11.36/31,
>> 	42.642.11.40/29,
>> 	42.642.11.48/29,
>> 	42.642.11.80/30   # <<<====
>>     }
>>
>>         ip daddr $VULN4 drop

> 
> In that case, the question becomes one of whether your nftables host
> is responsible for forwarding packets to "42.642.11.82" (as you put
> it) at all. And, just as importantly, from which source address.

the nftables is on the border router.  and traceroute showed the path
in.

the sources of the attacks are a ddos, /82 logs the ssh attack as from a
jillion source addresses.

> Try incorporating the following table into your existing ruleset.
> 
> table ip raw {
>     chain PREROUTING {
>         type filter hook prerouting priority raw;
>         ip daddr 42.642.11.82 tcp dport 22 meta nftrace set 1
>     }
> }
> 
> 
> Next, run "nft monitor trace".

sure, if only because i will learn a new hack :)

> If you do see output, study it, for it will conclusively show how the
> packets traverse your ruleset and why they are being accepted.

that would be lovely!!

thank you.  will report back.

randy

  reply	other threads:[~2026-06-10  1:32 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-10  0:10 prefix len confusion Randy Bush
2026-06-10  0:51 ` Kerin Millar
2026-06-10  1:01   ` Randy Bush
2026-06-10  1:26     ` Kerin Millar
2026-06-10  1:32       ` Randy Bush [this message]
2026-06-10  1:38         ` Kerin Millar
2026-06-10  6:20     ` Reindl Harald
2026-06-10 10:09       ` Kerin Millar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m2zf1318p7.wl-randy@psg.com \
    --to=randy@psg.com \
    --cc=kfm@plushkava.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.