I have (courtesy of fail2ban + nginx) tables of IPs I would like to stop from accessing the server in any way (ssh, web, etc.).
When they try to ssh, pf blocks them like it should. When they access the webserver directly, they get blocked. But when they access via a proxy, I have no idea what to do. The firewall rules that I have block requests from IPs listed in certain tables (
I know that the IP of the original host is mentioned in a specific header (X-Forwarded-For). Is there a way I can get the firewall (pf, or any other firewall even) to check the IP in this header field against the table of banned IPs? Are the contents of packet header fields actually available at the stack level of the firewall?
Of course, the webserver (nginx) can see the origin IPs and can be also used to block the offenders, but I would prefer to solve the problem at the firewall level, if possible.
When they try to ssh, pf blocks them like it should. When they access the webserver directly, they get blocked. But when they access via a proxy, I have no idea what to do. The firewall rules that I have block requests from IPs listed in certain tables (
block quick from <table>) and via the fail2ban anchor ( anchor "f2b/*"). I don't want to block the addresses of the proxy servers - normal innocent people use those proxies too.I know that the IP of the original host is mentioned in a specific header (X-Forwarded-For). Is there a way I can get the firewall (pf, or any other firewall even) to check the IP in this header field against the table of banned IPs? Are the contents of packet header fields actually available at the stack level of the firewall?
Of course, the webserver (nginx) can see the origin IPs and can be also used to block the offenders, but I would prefer to solve the problem at the firewall level, if possible.
