Block outgoing traffic to local networks by default
Some software, e.g. go-ipfs, is rather aggressive in scanning local networks for peers, which can trigger abuse reports and IP locks in the data center.
This commit is contained in:
parent
61710aa4a4
commit
1afc3a5de5
|
@ -32,3 +32,19 @@ firewall_rule 'ssh-alt-port' do
|
|||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
%w{
|
||||
10.0.0.0/8
|
||||
172.16.0.0/12
|
||||
192.168.0.0/16
|
||||
100.64.0.0/10
|
||||
}.each do |ip|
|
||||
firewall_rule "unauthorized-private-network-#{ip}" do
|
||||
interface "enp35s0"
|
||||
destination ip
|
||||
direction :out
|
||||
protocol :none
|
||||
command :deny
|
||||
logging :connections
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue