Différences
Ci-dessous, les différences entre deux révisions de la page.
| Les deux révisions précédentesRévision précédente | |||
| pratique:informatique:parefeu:nftables [30/01/2025 16:24] – maj des fichiers de config Zatalyz | pratique:informatique:parefeu:nftables [30/01/2025 20:17] (Version actuelle) – [Exemples de fichiers suivant les cas] Zatalyz | ||
|---|---|---|---|
| Ligne 217: | Ligne 217: | ||
| ip6 saddr @offender_count counter > 1 add @blocklist { ip6 saddr timeout 10m } | ip6 saddr @offender_count counter > 1 add @blocklist { ip6 saddr timeout 10m } | ||
| - | # Protection contre les attaques IPv6 (flood udp, syn, ack, rst, ping) | + | # Protection contre les attaques IPv6 (flood udp, syn, ack, rst, ping (on accepte) |
| ip6 nexthdr udp limit rate over 200/second add @offender_count { ip6 saddr } drop | ip6 nexthdr udp limit rate over 200/second add @offender_count { ip6 saddr } drop | ||
| tcp flags syn limit rate over 100/second add @offender_count { ip6 saddr } drop | tcp flags syn limit rate over 100/second add @offender_count { ip6 saddr } drop | ||
| tcp flags ack limit rate over 100/second add @offender_count { ip6 saddr } drop | tcp flags ack limit rate over 100/second add @offender_count { ip6 saddr } drop | ||
| tcp flags rst limit rate over 50/second add @offender_count { ip6 saddr } drop | tcp flags rst limit rate over 50/second add @offender_count { ip6 saddr } drop | ||
| + | icmpv6 type echo-request limit rate 10/second accept | ||
| icmpv6 type echo-request limit rate over 10/second add @offender_count { ip6 saddr } drop | icmpv6 type echo-request limit rate over 10/second add @offender_count { ip6 saddr } drop | ||
| } | } | ||