infra

Viktor Barzin 0ac176da01 crowdsec: whitelist internal/LAN/tailnet CIDRs at the decision layer Preparing for real CrowdSec enforcement (edge Cloudflare Worker for proxied hosts + cs-firewall-bouncer for direct hosts). Both enforce by dropping the real source IP, so if an internal/RFC1918 address ever ended up in a ban decision it could blackhole legitimate internal traffic. Whitelisting the cluster/LAN/tailnet ranges (10/8, 172.16/12, 192.168/16, 100.64/10) at the CrowdSec parser layer makes that structurally impossible — a trusted source can never produce a decision in the first place. Public IP already whitelisted. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-20 08:03:46 +00:00
..
crowdsec	crowdsec: whitelist internal/LAN/tailnet CIDRs at the decision layer	2026-06-20 08:03:46 +00:00

Viktor Barzin 0ac176da01 crowdsec: whitelist internal/LAN/tailnet CIDRs at the decision layer

Preparing for real CrowdSec enforcement (edge Cloudflare Worker for proxied
hosts + cs-firewall-bouncer for direct hosts). Both enforce by dropping the
real source IP, so if an internal/RFC1918 address ever ended up in a ban
decision it could blackhole legitimate internal traffic. Whitelisting the
cluster/LAN/tailnet ranges (10/8, 172.16/12, 192.168/16, 100.64/10) at the
CrowdSec parser layer makes that structurally impossible — a trusted source
can never produce a decision in the first place. Public IP already whitelisted.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-20 08:03:46 +00:00

crowdsec

crowdsec: whitelist internal/LAN/tailnet CIDRs at the decision layer

2026-06-20 08:03:46 +00:00