41: add reminder re IPv6 ranges for SSH IPS

Stefan Monnier via Mon, 23 May 2022 06:29:47 -0700

branch: externals/nftables-mode
commit 16adfabcec88578dd590d0121ec54e4b5ebb3ff4
Author: Trent W. Buck <trentb...@gmail.com>
Commit: Trent W. Buck <trentb...@gmail.com>


    add reminder re IPv6 ranges for SSH IPS
---
 nftables-router.nft | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nftables-router.nft b/nftables-router.nft
index de03904583..1ced5255b4 100644
--- a/nftables-router.nft
+++ b/nftables-router.nft
@@ -425,6 +425,10 @@ table inet my_filter {
     ##
     ##   * postscreen covers smtp (25/tcp).
 
+    ## FIXME: per https://wiki.dovecot.org/Authentication/Penalty, we
+    ##        should meter/block IPv6 sources by /48 instead of by single 
address (as we do for IPv4).
+    ##        Each corresponds to the typical allocation of a single ISP 
subscriber.
+
     chain my_IPS {
         ct state != new  return  comment "Operate per-flow, not per-packet 
(my_prologue guarantees this anyway)"
         iiftype != ppp   return  comment "IPS only protects against attacks 
from the internet"

[elpa] externals/nftables-mode 16adfabcec 21/41: add reminder re IPv6 ranges for SSH IPS

Reply via email to