Closed ben-auo closed 1 month ago
pcollinson
commented
1 month ago It will take single IP addresses. However, ensure that config.ini says
blacklist_set_auto_merge = True blacknets_set_auto_merge = True
This will automatically make the sets create address ranges for you. The bug that caused this to fail in earlier versions of nftables has gone away.
ben-auo
commented
1 month ago Thanks for confirming. Also, can I add an ipset file to the incoming.d directory or are blacklist files only supported in the blacknets.d directory? (I have a large file of Geo IPs but I only need to block incoming traffic for those, not outgoing)
pcollinson
commented
1 month ago As distributed nftfw has no checks on outbound packets. You can add this if you wish by changing nftfw.init. You can add single ips by adding a file named for the ipaddress in the blacklist.d directory. If you want to add a CIDR to the address use a vertical bar in the address.
Actually this is all there in man nftfw-files, or should be.
ben-auo
commented
1 month ago Thanks
I know I can add netset files (one CIDR entry per line) in the
blacknets.ddirectory, but can I also add ipset files (one IP address per line) or do I need to append/32to each of those lines?