We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
docs: publish aligned NFTBan wiki and operations reference Terminology/architecture/validation alignment across all pages; anchor Phase 0-6 (ddos_sanity=HYGIENE); operator command contract (nftban validate, nft list table); retired -v190/-delta duplicates; renamed release-numbered pages; 5 new operations/communications/reporting pages; Home + sidebar updated; all internal links resolve. Docs-only. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
docs(wiki): R2c truth pass — align WK-1..10 to shipped v1.218.7 behavior Wiki-only truth pass against code (fleet-live v1.218.7, nft schema 1.84.0). Human-guide style; links down to the repo /docs/operator contracts rather than duplicating them. No product-repo, register, or scope content changed. - WK-1 loopback-before-invalid (v1.217.0): Firewall-Anchor-Architecture + Architecture-Overview now show loopback accept BEFORE the ct-state-invalid drop. - WK-2: added the missing `nftban search` entry to CLI-Commands-Reference (RFC5737 examples; links to BAN_FORENSICS.md). - WK-3: refreshed stale version stamps to "Last verified: v1.218.7" across ~14 pages (frozen-authority versions kept, "Last verified" appended); Project-Statistics relabelled as a v1.203.0 snapshot. - WK-4 Suricata: rewrote the command surface to the 7 shipped Go subcommands (status/filters/daemon/ enable/disable/set-threshold/set-action); the profile-*/scan*/rules-*/sid-*/custom-*/recommend*/ stats-daemon commands are documented as removed-in-v1.92; filter table corrected to the real filters.conf set (ssh/http/mail/dns/scan/exploit/ddos/malware/botnet enabled; ftp/rdp/mysql/ postgresql disabled) — removed fabricated wp_login/wp_xmlrpc/joomla/drupal/phpmyadmin/smb/ldap/voip filters; Gbps sizing framed as guidance not benchmarks; opt-in EVE-ingestion intro. - WK-5 Security-Architecture: replaced the insecure prefix-match polkit example with the shipped explicit-unit-allowlist rule; corrected 3-group→two-group model and retired the nftban-panel / 30-nftban-panel.rules tier (retired v1.137). - WK-6 DDoS: kept the correct shipped limits (HTTP/HTTPS=200, mail=30, SSH=15 — NOT 150); clarified base counters are schema-owned/always-on (not the DDoS module) and the penalty ladder is the shell maintenance timer (daemon only proxies the write). - WK-7 GeoBan: disclosed the real default (enabled by default, allow-all policy → enabled-but-IDLE, blocks nothing until countries are configured) in Configuration-Reference + Blacklist pages. - WK-8 metrics: kept the code-true `:9580` loopback-by-default wording; fixed a stale /metrics ACL citation (daemon_http.go:99-105); removed the retired GUI-dashboard node (no product surface named, two code-true consumers: Prometheus textfile + JSON cache). - WK-9 SLSA: corrected the stale repo slug nftban-v1.0-dev → itcmsgr/nftban (12 sites); scoped SLSA wording to nftban-core. - WK-10 hygiene: scrubbed a real admin port (55000) and real routable example IPs (45.66.x) to neutral / RFC5737 values. - R2b explainers: added an "Operator contracts (in the repo /docs)" section to Security-Operations-Guide linking the four /docs/operator pages. WK-6/WK-8 corrected premises honored (no 150; loopback code-true). No RBL-blocking / cluster / live-GUI / unframed-benchmark claims; no register/scope/COMPLETED bodies pasted; leak-free (55000/45.66/nftban-v1.0-dev = 0). 22 pages.
docs(wiki): place endpoint-flood inside BotScan module page (v1.190.1) Fix taxonomy: endpoint-flood is a BotScan detector feature, not a module. - Add BotScan.md module page (access-log scanner: 404-flood, exploit/webshell/ scanner patterns, badbot/aibot, verified-crawler FCrDNS, endpoint-flood). Code-true units/knobs; enforcement via batch-signal -> daemon -> nft ban set; timer cadence (not realtime); ownership boundaries vs BotGuard (burst/concurrency) and LoginMon (credential-failure). - Sidebar: replace standalone 'BotScan: Endpoint-Flood' entry with 'BotScan (Web Access-Log)' module entry. - BotGuard.md: short boundary note cross-linking to BotScan for endpoint-volume floods (no full endpoint-flood docs copied in). - Remove standalone BotScan-Endpoint-Flood-Protection.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
wiki: v1.83 canonical rewrite — system contract + modules + structure Complete wiki alignment to v1.83 canonical design baseline. Added (8 new pages): - Glossary-and-Vocabulary (v1.81 vocabulary contract) - Health-Model (4-axis + consistency derivation) - DDoS-Protection (kernel-only, counter evidence) - Portscan-Detection (structure-only, no counter) - BotGuard (daemon-dependent, set evidence) - Login-Monitoring (journal + shared sets) - Blacklist-and-Threat-Intelligence (composite: manual/feeds/geoban) - Known-Limitations-and-Validation-Scope (validator scope per module) Replaced (6 pages): - Home → system contract (truth authority + evidence model + invariants) - Architecture-Overview → kernel-first with invariants - CLI-Commands-Reference → trust levels + v1.83 behavior - Configuration-Reference → per-key with axis effects - Project-Statistics → v1.83 metrics with history - _Sidebar → canonical navigation structure Fixed (2 pages): - Suricata-IDS-Integration: "rules loaded" → "rules present" - Optimization-Tools-and-Tweaks: "ok" → "protected" Archived (11 pages → archive/): - CLI-Command-Tree, Timer-Schedule, Large-Set-Management (merged) - API-Handlers-Map, Registry-Architecture, Queue-and-Mail-Contract (internal) - Security-CI-Pipeline, Coding-Standards, Performance-Benchmarks (internal) - Health-Check-Architecture, HTTP-Bot-Guard (replaced by new pages) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>