-
Notifications
You must be signed in to change notification settings - Fork 0
RBL Monitoring
Type: Security-monitoring module (observe-only) Last reviewed for terminology: v1.220.1; command details require code-specific verification.
RBL Monitoring checks the server's eligible public IPv4 and IPv6 addresses against DNS-based blocklists (DNSBLs / RBLs) and reports whether each address is listed, clean, or degraded / not-fully-verified. It exists to surface IP reputation and potential mail-delivery blocklisting risk — not to filter traffic.
RBL Monitoring is:
- scheduled and on-demand — a timer-driven check plus manual invocation;
- public-address-only — non-public (private / loopback / link-local / ULA / CGNAT) addresses are not eligible and are skipped;
- observe-only — it produces alerts and reports.
RBL Monitoring does not:
- issue bans;
- write nftables sets or rules;
- change packet enforcement in any way;
- perform automatic delisting;
- prove mail deliverability (a DNSBL check cannot determine a provider-specific Proofpoint/iCloud bounce).
Enabling RBL controls scheduling and alerts — not firewall enforcement. It is RBL Monitoring, never "RBL Protection" or "RBL Blocking."
Each checked address resolves to one of: listed, clean, or a degraded state (timeout / error / partial coverage). Degraded coverage is not the same as clean — a summary reports "No listings found, but RBL coverage degraded — not fully verified" when some providers could not be queried. Results are cached, and the check distinguishes IPv4 and IPv6 addresses.
| Command | Purpose |
|---|---|
nftban rbl server check |
On-demand, observe-only check of the server's own eligible public IPv4/IPv6 addresses. Does not modify nftables. |
nftban rbl status |
Show module state: enabled/disabled, timer state, providers, last-check age, cached results. |
nftban rbl enable / disable
|
Turn scheduled monitoring (the RBL check timer) on or off. Observe-only — does not change enforcement. |
nftban rbl watchlist … |
Manage a list of external IPs (e.g. customer/partner mail servers) to monitor. Separate from self-IP monitoring. |
Verify exact subcommands and flags against
nftban rbl --help/ the CLI command registry before relying on them in automation.
- Self-IP monitoring covers the host's own assigned public addresses; the watchlist covers external addresses you choose to watch.
- Because RBL is observe-only, its health surfaces report monitoring state and reputation findings — not firewall enforcement.
See Protection & Monitoring Modules for the full module inventory and Blacklist & Threat Feeds for the (separate, enforcing) IP-reputation blocking path.
NFTBan Wiki
Getting Started
Architecture
- Architecture Overview
- Firewall Anchor Architecture
- NFT Schema & Validator Model
- Health & Validation
- Metrics & Evidence Model
- Watchdog & Resource Profiles
- Security Architecture
Protection & Monitoring
- Protection & Monitoring Modules
- BotGuard — HTTP Guard
- BotScan — HTTP Exploit Scanner
- DDoS Protection
- Portscan Detection
- Login Monitoring
- Blacklist & Threat Feeds
- Suricata IDS Integration
- RBL Monitoring
- DNS Tunnel Detection
Operator Reference
- CLI Commands Reference
- Configuration Reference
- Systemd Units & Timers
- Optimization & Tuning
- Security Operations Guide
- GeoIP Database Guide
- FHS Compliance
- Troubleshooting & Selftest
Operations, Communications & Reporting
- Maintenance & Scheduled Operations
- Logging, Rotation & Retention
- Communications & Notifications
- Notification & Report Templates
- Audit Reports & Compliance
Verification & Trust
Reference
Legal