From 0ac176da01e6b0f1e31e156a59fc6579b9fedb7d Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 20 Jun 2026 08:03:46 +0000 Subject: [PATCH] crowdsec: whitelist internal/LAN/tailnet CIDRs at the decision layer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Preparing for real CrowdSec enforcement (edge Cloudflare Worker for proxied hosts + cs-firewall-bouncer for direct hosts). Both enforce by dropping the real source IP, so if an internal/RFC1918 address ever ended up in a ban decision it could blackhole legitimate internal traffic. Whitelisting the cluster/LAN/tailnet ranges (10/8, 172.16/12, 192.168/16, 100.64/10) at the CrowdSec parser layer makes that structurally impossible — a trusted source can never produce a decision in the first place. Public IP already whitelisted. Co-Authored-By: Claude Opus 4.8 --- stacks/crowdsec/modules/crowdsec/main.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/stacks/crowdsec/modules/crowdsec/main.tf b/stacks/crowdsec/modules/crowdsec/main.tf index a900e8c4..650aafb3 100644 --- a/stacks/crowdsec/modules/crowdsec/main.tf +++ b/stacks/crowdsec/modules/crowdsec/main.tf @@ -102,6 +102,15 @@ resource "kubernetes_config_map" "crowdsec_whitelist" { reason: "Trusted IP - never block" ip: - "176.12.22.76" + cidr: + # Never ban internal/cluster/LAN/tailnet sources. Enforcement (edge + # Worker + firewall-bouncer) drops on real source IP, so an internal + # range slipping into a decision could blackhole legit traffic — this + # makes that structurally impossible at the decision layer. + - "10.0.0.0/8" # k8s nodes/pods/services + VLAN 10/20 + - "172.16.0.0/12" # RFC1918 + - "192.168.0.0/16" # LAN (192.168.1.0/24) + Sofia + - "100.64.0.0/10" # Headscale tailnet (CGNAT) --- name: viktor/immich-asset-paths-whitelist description: "Don't penalise legit Immich timeline bursts (mobile scrub, web grid)"