This repository contains example scripts and sets of rules for the AWS WAF service. Please be aware that the applicability of these examples to specific workloads may vary.
MIT No Attribution
512
stars
235
forks
source link
Incorrect subnet in generic-match-blacklisted-ips #35
172.16.0.0/16 should be 172.16.0.0/12 to cover the full RFC1918 space
*edit, after trying to edit /16 to /12 in WAF it throws a "Not a valid CIDR format." error so there is a bug in WAF that appears not to allow masks from /9-/15 and /0-/7. The only way to cover 172.16.0.0/12 is to use individual /16s for 172.16-31.0.0. I created a patch version with this work around and after looking I did notice the "IP match condition" states that "AWS WAF supports /8 or any range from /16 to /32 CIDR blocks for IPv4" so I guess this is expected behavior even so the work around is actually the way.
172.16.0.0/16 should be 172.16.0.0/12 to cover the full RFC1918 space
*edit, after trying to edit /16 to /12 in WAF it throws a "Not a valid CIDR format." error so there is a bug in WAF that appears not to allow masks from /9-/15 and /0-/7. The only way to cover 172.16.0.0/12 is to use individual /16s for 172.16-31.0.0. I created a patch version with this work around and after looking I did notice the "IP match condition" states that "AWS WAF supports /8 or any range from /16 to /32 CIDR blocks for IPv4" so I guess this is expected behavior even so the work around is actually the way.