nftables: block IPv6 for forum web server

We used to have this but it was lost during changes to our firewall rules. We don't have an AAAA record for discuss.grapheneos.org to avoid IPv6 connections but should also be explicitly blocking it. We're doing this due to reliance on IP bans for registration to block spammers and having IPv6 would greatly weaken it even if banning based on /64.
2025-11-18 22:12:56 -05:00 · 2025-08-28 11:25:11 -04:00 · 2025-08-28 11:25:11 -04:00 · cb01ad4f20
commit cb01ad4f20
parent e77a5fb357
1 changed files with 3 additions and 0 deletions
--- a/etc/nftables/nftables-discuss.conf
+++ b/etc/nftables/nftables-discuss.conf
@ -37,6 +37,9 @@ table inet filter {
        # ordered after accepting loopback to permit using external IPs via loopback
        fib daddr . iif type != { local, broadcast, multicast } counter drop

+        # IPv6 interacts badly with IP-based spam filtering
+        meta nfproto ipv6 tcp dport {80, 443} drop
+
        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept