vampire: Add special hook for DNS badness.

[firewall] / vampire.m4

diff --git a/vampire.m4 b/vampire.m4
index 13e37bd6477ea550b2ec6054c6ac8bcdae396a8a..3a389caec2d4d0d575f89a2f5fc79c3658bd39b5 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -37,6 +37,12 @@ m4_divert(-1)
 ### vampire-specific rules.
 
 m4_divert(82)m4_dnl
+## Repelling evil DDos attack.
+run ipset -N ddos-evil-dns iphash 2>/dev/null || :
+run iptables -A inbound -j DROP \
+       -m set --set ddos-evil-dns src \
+       -p udp --destination-port $port_dns
+
 ## Externally visible services.
 allowservices inbound tcp \
        finger ident \