Block outgoing traffic to local networks by default
Some software, e.g. go-ipfs, is rather aggressive in scanning local networks for peers, which can trigger abuse reports and IP locks in the data center.
This commit is contained in:
parent
61710aa4a4
commit
1afc3a5de5
|
@ -32,3 +32,19 @@ firewall_rule 'ssh-alt-port' do
|
||||||
protocol :tcp
|
protocol :tcp
|
||||||
command :allow
|
command :allow
|
||||||
end
|
end
|
||||||
|
|
||||||
|
%w{
|
||||||
|
10.0.0.0/8
|
||||||
|
172.16.0.0/12
|
||||||
|
192.168.0.0/16
|
||||||
|
100.64.0.0/10
|
||||||
|
}.each do |ip|
|
||||||
|
firewall_rule "unauthorized-private-network-#{ip}" do
|
||||||
|
interface "enp35s0"
|
||||||
|
destination ip
|
||||||
|
direction :out
|
||||||
|
protocol :none
|
||||||
|
command :deny
|
||||||
|
logging :connections
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
Loading…
Reference in New Issue