forked from brian-farrell/nft-blackhole
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nft-blackhole.yaml
52 lines (37 loc) · 1.32 KB
/
nft-blackhole.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Config file for nft-blackhole in yaml
# IP versions supported: 'on' or 'off', default 'off'
IP_VERSIONS:
v4: on
v6: on
# Block policy: 'drop' or 'reject', default: 'drop'
BLOCK_POLICY: drop
# Block output connections to blacklisted ips: 'on' or 'off', default: 'off'
# Connections to blocked countries will still be possible.
BLOCK_OUTPUT: off
# Whitelist: IP or Network adresses
WHITELIST:
v4:
- 127.0.0.1
- 192.168.0.1/24
v6:
- '2a02:8060::/31'
# Blacklist: URLs to IP or Network adresses
# For example, with: https://iplists.firehol.org/
BLACKLIST:
v4:
- https://iplists.firehol.org/files/bi_any_0_1d.ipset
- https://iplists.firehol.org/files/haley_ssh.ipset
- https://iplists.firehol.org/files/firehol_level2.netset
v6:
# Country list: two letter country codes defined in ISO 3166-1
# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
COUNTRY_LIST:
- cn
# Country policy: 'drop' or 'accept', default: 'drop'
# drop - drop countries from list, accept others
# accept - accept coutries from list, drop others
COUNTRY_POLICY: drop
# Country exclude ports: port numbers or names, e.g: [993, https]
# List is available in /etc/services
# These ports will be accessible on TCP and UDP protocols from all countries (but not from blacklisted IPs)
COUNTRY_EXCLUDE_PORTS: