Source Filter
The filter inspects the source address and port of TCP and UDP packets. It is useful for limiting traffic by GeoIP and for mitigating amplification attacks, such as DNS or NTP amplification. It also allows complete bypass of all checks for specific sources (white list), for example, to always allow an administrator to log in to a server under attack or to avoid accidentally blocking web crawler bots.
A rule may define either a source address or a source port, but not both.
Specifying a port in an
allowrule is prohibited because the filter always checks the source address and the default action. An allowed port would therefore have no effect.
Network masks may be used instead of single addresses. More specific rules take precedence: an exact (single) address takes precedence over a network, and a smaller network takes precedence over a larger one. If an IP address or network is allowed, the packet is passed to the TCP/IP stack (i.e., consumed).
An ISO 3166 country code may be specified instead of an IP address.
The code is expanded into a set of masked IP addresses if a MaxMind GeoIP database
is provided; otherwise, the entry is ignored.
The database can be supplied via the command-line option -g and can later be reloaded
from the same path using:
tfw reload
Rate limiting in this filter is applied to all allowed source IP addresses. An LRU mechanism is used to evict records for the least active IP addresses.
Default Policy: The source filter consists of two separate sub-filters:
src_ip— checks the source IP address (or GeoIP-expanded addresses).src_port— checks the source port.
For each sub-filter, traffic that does not match any explicit rule is processed according to the default action defined in the defaults section.
src_ipdefault action: may be allow, block, or a named ratelimit.src_portdefault action: may be allow, block, or a named ratelimit.
First, each sub-filter applies any explicit rules. Then, the corresponding default action is applied if no explicit match exists. If no action is specified for the corresponding protocol in the defaults section, the defaults are allow.
Example configuration:
src=my_ratelimited2 ip4.udp : allow {
10.0.0.0/9,
1.1.1.1,
:50,
uk
}
You can add entries to the rule named my_ratelimited2 using the /add command:
src=my_ratelimited2/add {
192.168.1.10/24
}
In a patch, you can delete specific entries from the rule named my_ratelimited2
using the /del command:
src=my_ratelimited2/del {
1.1.1.1
}
You can delete the entire rule in a patch with:
src=my_ratelimited2/del;
You can also update only the rule attributes using the /replace command.
All attributes must be specified; otherwise, unspecified attributes will be replaced
with their default values:
src=my_ratelimited2/replace ip4.udp : ratelimit=whitelist_ratelimit;
When the /replace command is used with entries, the entire rule, both attributes and
entry list, is replaced:
src=my_ratelimited2/replace ip4.udp : allow {
10.0.0.0/9,
1.1.1.1,
}
By default, the /replace command is used.
You can define multiple source rules with different names.
Each rule name must be unique; otherwise, the configuration will be rejected.
An empty name is not allowed, so the reserved name ip4.udp can be used:
src ip4.udp : allow {
10.0.0.0/9,
1.1.1.1,
}
In this case, /add, /del, and /replace operations are still permitted in a patch:
src=ip4.udp/add {
192.168.1.10/24
}
The MaxMind database supports both IPv4 and IPv6 address sets for ISO 3166 country codes. Therefore, the address family must be specified explicitly. In the following example, only IPv4 addresses are allowed:
src=geo_ip4 ip4.tcp : allow { uk, au}
Note that rate limiting is applied independently to each listed IP address or port. If a network is listed, the rate limit is applied separately to each observed IP address within that network.
Use the defaults section to apply an action to all source traffic for a specific L3 protocol or for a specific L3/L4 protocol combination:
defaults {
...
src_ip ip6: allow; # default for all IPv6 addresses
src_port ip4.tcp: block; # default for TCP ports over IPv4
...
}