Skip to content

RBL Monitoring

Antonios Voulvoulis edited this page Jul 11, 2026 · 3 revisions

RBL Monitoring

Type: Security-monitoring module (observe-only) Last reviewed for terminology: v1.220.1; command details require code-specific verification.

RBL Monitoring checks the server's eligible public IPv4 and IPv6 addresses against DNS-based blocklists (DNSBLs / RBLs) and reports whether each address is listed, clean, or degraded / not-fully-verified. It exists to surface IP reputation and potential mail-delivery blocklisting risk — not to filter traffic.

What it is — and is not

RBL Monitoring is:

  • scheduled and on-demand — a timer-driven check plus manual invocation;
  • public-address-only — non-public (private / loopback / link-local / ULA / CGNAT) addresses are not eligible and are skipped;
  • observe-only — it produces alerts and reports.

RBL Monitoring does not:

  • issue bans;
  • write nftables sets or rules;
  • change packet enforcement in any way;
  • perform automatic delisting;
  • prove mail deliverability (a DNSBL check cannot determine a provider-specific Proofpoint/iCloud bounce).

Enabling RBL controls scheduling and alerts — not firewall enforcement. It is RBL Monitoring, never "RBL Protection" or "RBL Blocking."

State model

Each checked address resolves to one of: listed, clean, or a degraded state (timeout / error / partial coverage). Degraded coverage is not the same as clean — a summary reports "No listings found, but RBL coverage degraded — not fully verified" when some providers could not be queried. Results are cached, and the check distinguishes IPv4 and IPv6 addresses.

Operator commands

Command Purpose
nftban rbl server check On-demand, observe-only check of the server's own eligible public IPv4/IPv6 addresses. Does not modify nftables.
nftban rbl status Show module state: enabled/disabled, timer state, providers, last-check age, cached results.
nftban rbl enable / disable Turn scheduled monitoring (the RBL check timer) on or off. Observe-only — does not change enforcement.
nftban rbl watchlist … Manage a list of external IPs (e.g. customer/partner mail servers) to monitor. Separate from self-IP monitoring.

Verify exact subcommands and flags against nftban rbl --help / the CLI command registry before relying on them in automation.

Scope notes

  • Self-IP monitoring covers the host's own assigned public addresses; the watchlist covers external addresses you choose to watch.
  • Because RBL is observe-only, its health surfaces report monitoring state and reputation findings — not firewall enforcement.

See Protection & Monitoring Modules for the full module inventory and Blacklist & Threat Feeds for the (separate, enforcing) IP-reputation blocking path.

Clone this wiki locally