~mdw / firewall / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
vampire.m4: Log messages when rejecting DNS DDOS packets.
[firewall] / vampire.m4
diff --git a/vampire.m4 b/vampire.m4
index 3a389ca..05a3293 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -36,10 +36,15 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### vampire-specific rules.
 
+m4_divert(35)m4_dnl
+errorchain ddos-evil-dns DROP
+## Invalid DNS request with probably-forged sender address, with intent to
+## cause DDOS.
+
 m4_divert(82)m4_dnl
 ## Repelling evil DDos attack.
 run ipset -N ddos-evil-dns iphash 2>/dev/null || :
-run iptables -A inbound -j DROP \
+run iptables -A inbound -g ddos-evil-dns \
        -m set --set ddos-evil-dns src \
        -p udp --destination-port $port_dns
 
Firewall scripts for distorted.org.uk.