#
################################################
### Managed by someone's ansible provisioner ###
################################################
# Part of: https://git.somenet.org/root/pub/somesible.git
# 2017-2025 by someone <someone@somenet.org>
#

# only filter outside-in connections. (allow initiating connections to banned ips)
[Definition]
rule_stat = ct mark == 2 %(match)s <addr_family> saddr @<addr_set> <blocktype>


[Init]
# by default uses "input" (=localhost only), use this for firewalls/netwide-bans.
chain_hook = prerouting

# block all from src-IP, not just all tcp ports.
rule_match-allports =

# count and/or log verbosely
blocktype  = "counter log prefix \"NFT:f2b-chain:REJECT-banned; \" reject with icmpx type host-unreachable"