-
Notifications
You must be signed in to change notification settings - Fork 10
/
nft-blackhole.conf
54 lines (38 loc) · 1.45 KB
/
nft-blackhole.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# Config file for nft-blackhole in yaml
# IP versions supported: 'on' or 'off', default 'off'
IP_VERSION:
v4: on
v6: on
# Block policy: 'drop' or 'reject', default: 'drop'
BLOCK_POLICY: drop
# Block output connections to blacklisted ips: 'on' or 'off', default: 'off'
# Connections to blocked countries will still be possible.
BLOCK_OUTPUT: off
# Block forwarded connections from blacklisted ips: 'on' or 'off', default: 'off'
BLOCK_FORWARD: off
# Whitelist: IP or Network adresses
WHITELIST:
v4:
- 127.0.0.1
# - 10.10.10.10/24
- 192.168.0.1/24
v6: ['2a02:8060::/31']
# Blacklist: URLs to IP or Network adresses
# For example, with: https://iplists.firehol.org/
BLACKLIST:
v4:
- https://iplists.firehol.org/files/bi_any_0_1d.ipset
- https://iplists.firehol.org/files/haley_ssh.ipset
- https://iplists.firehol.org/files/firehol_level2.netset
v6: []
# Country list: two letter country codes defined in ISO 3166-1
# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
COUNTRY_LIST: [cn, vn]
# Country policy: 'block' or 'accept', default: 'block'
# block - block coutries from list, accept others
# accept - accept coutries from list, block others
COUNTRY_POLICY: block
# Country exclude ports: port numbers or names, e.g: [993, https]
# List is available in /etc/services
# These ports will be accessible on TCP and UDP protocols from all countries (but not from blacklisted IPs)
COUNTRY_EXCLUDE_PORTS: []