Block outgoing traffic to local networks by default

Some software, e.g. go-ipfs, is rather aggressive in scanning local networks for peers, which can trigger abuse reports and IP locks in the data center.
2022-10-21 13:37:38 +02:00 · 2022-10-21 13:37:38 +02:00 · 1afc3a5de5
parent 61710aa4a4
commit 1afc3a5de5
1 changed files with 16 additions and 0 deletions
--- a/site-cookbooks/kosmos_kvm/recipes/host.rb
+++ b/site-cookbooks/kosmos_kvm/recipes/host.rb
@ -32,3 +32,19 @@ firewall_rule 'ssh-alt-port' do
  protocol :tcp
  command  :allow
 end
+
+%w{
+  10.0.0.0/8
+  172.16.0.0/12
+  192.168.0.0/16
+  100.64.0.0/10
+}.each do |ip|
+  firewall_rule "unauthorized-private-network-#{ip}" do
+    interface "enp35s0"
+    destination ip
+    direction :out
+    protocol :none
+    command  :deny
+    logging :connections
+  end
+end