]> git.somenet.org - root/pub/somesible.git/blob - roles/base/network/files/default/fail2ban.nftables-common.local
SomeNet / public repos / root / pub / somesible.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[roles/base/network] setup networking and firewall (nftables) and fail2ban
[root/pub/somesible.git] / roles / base / network / files / default / fail2ban.nftables-common.local
1 #
2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
7 #
8
9 # only filter outside-in connections. (allow initiating connections to banned ips)
10 [Definition]
11 rule_stat = ct mark == 2 %(match)s <addr_family> saddr @<addr_set> <blocktype>
12
13
14 [Init]
15 # by default uses "input" (=localhost only), use this for firewalls/netwide-bans.
16 chain_hook = prerouting
17
18 # block all from src-IP, not just all tcp ports.
19 rule_match-allports =
20
21 # count and/or log verbosely
22 blocktype  = "counter log prefix \"NFT:f2b-chain:REJECT-banned; \" reject with icmpx type host-unreachable"