Add ability to blacklist ip ranges for federation traffic (#5043)

author: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> 2019-05-13 11:05:06 -0700
committer: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> 2019-05-13 19:05:06 +0100
commit: 5a4b328f522e9d08248dc03613fb0529f7529dbb (patch)
tree: a9593782314649f749411b558d51e24d98fef5c7 /docs
parent: 0.99.4rc1 (diff)
download: synapse-5a4b328f522e9d08248dc03613fb0529f7529dbb.tar.xz
1 files changed, 18 insertions, 0 deletions
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index bdfc34c6bd..c4e5c4cf39 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -115,6 +115,24 @@ pid_file: DATADIR/homeserver.pid
 #  - nyc.example.com
 #  - syd.example.com
 
+# Prevent federation requests from being sent to the following
+# blacklist IP address CIDR ranges. If this option is not specified, or
+# specified with an empty list, no ip range blacklist will be enforced.
+#
+# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
+# listed here, since they correspond to unroutable addresses.)
+#
+federation_ip_range_blacklist:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '169.254.0.0/16'
+  - '::1/128'
+  - 'fe80::/64'
+  - 'fc00::/7'
+
 # List of ports that Synapse should listen on, their purpose and their
 # configuration.
 #
author	Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>	2019-05-13 11:05:06 -0700
committer	Richard van der Hoff <1389908+richvdh@users.noreply.github.com>	2019-05-13 19:05:06 +0100
commit	5a4b328f522e9d08248dc03613fb0529f7529dbb (patch)
tree	a9593782314649f749411b558d51e24d98fef5c7 /docs
parent	0.99.4rc1 (diff)
download	synapse-5a4b328f522e9d08248dc03613fb0529f7529dbb.tar.xz