-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
block an IP at the kernel level? #2003
Comments
Yes, it is possible: Nanos has a klib that implements a network firewall: see https://docs.ops.city/ops/klibs (at the "Firewall" section) for documentation and usage examples. |
@francescolavra cool! https://docs.ops.city/ops/klibs#firewall but that's a static one. I don't see an API call that would allow me to edit it? |
can you describe a bit more what your usecase is? |
Say I have an adaptive rule in app that decides something's being abusive. I'd like to block it earlier on in the network call stack, rather than at the golang level. |
if you're trying to block something before it even touches your instance the easiest/most straight-forward thing to do would be to apply a new fw rule via your cloud |
That only slightly works depending on the cloud provider - I was curious about a host based middle ground similar to iptables For example:
"supported" is relative as there's a maximum size limit to many of their rulesets. |
i understand what you want but need some more context around your specific use-case specifically how are you identifying abusive traffic? and how would you flag/block it? if it's something like a fail2ban filter that is automated that logic needs to live somewhere and that could be quite extensive/different depending on use-case (eg: spotting credential stuffing would be very different than say a syn flood); if it's not automated and you are just spotting stuff manually setting a |
Isn't that on the read only system partition that the user code can't modify? |
you would set it in your config and re-deploy which should only take few tens of seconds; really this comes back to whether this is a manual process or automatic |
That fits more for ephemeral nodes, but if you've got quite a lot happening on the node it would take time to shed load, finish jobs, and transfer storage. |
Is it possible to block an IP at the kernel level (vs doing this at the infrastructure level, I know I know...)
vs having to block it / check it in the application code?
The text was updated successfully, but these errors were encountered: