nftables IP ban based on appsec?
I've tried to search for support threads here on discord, but can't really find anything. I've also tried to read the docs and asked chatgpt (increadiably useless, but was worth a try) but I feel like I'm missing something fundamental here.
What I want:
- AppSec triggered from traefik to add an IP block on nftables.
My setup:
- Ubuntu server
- nftables in front of a traefik instance
- crowdsec installed, listening on port 8080, appsec running listening on port 7422
- crowdsec-bouncer-traefik-plugin installed and enabled (crowdsecMode: appsec)
- crowdsec-firewall-bouncer
When I manually add a decision
When I run "curl -vk "https://<server domain>/?id=%27%20OR%201%3D1--" I can see the following in my traefik logs.
DEBUG: CrowdsecBouncerTraefikPlugin: 2025/09/21 12:25:52 ServeHTTP ip:<client computer> isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2025/09/21 12:25:52 handleNextServeHTTP ip:<client computer> isWaf:true appsecQuery statusCode:403
10.0.0.169 - - [21/Sep/2025:12:25:52 +0000] "GET /?id=%27%20OR%201%3D1-- HTTP/2.0" 403 0 "-" "curl/8.11.1" 61 "next-router@file" "-" 67ms
cscli alert list shows:
So AppSec seems to do what I want. But decisions is empty.
My understanding of this is that there's an alert created based on the AppSec trigger, but no decision is matched. SO nftables will not block anything.
What I want:
- AppSec triggered from traefik to add an IP block on nftables.
My setup:
- Ubuntu server
- nftables in front of a traefik instance
- crowdsec installed, listening on port 8080, appsec running listening on port 7422
- crowdsec-bouncer-traefik-plugin installed and enabled (crowdsecMode: appsec)
- crowdsec-firewall-bouncer
When I manually add a decision
sudo cscli decisions add -i <client-up> -t ban -d 1mWhen I run "curl -vk "https://<server domain>/?id=%27%20OR%201%3D1--" I can see the following in my traefik logs.
DEBUG: CrowdsecBouncerTraefikPlugin: 2025/09/21 12:25:52 ServeHTTP ip:<client computer> isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2025/09/21 12:25:52 handleNextServeHTTP ip:<client computer> isWaf:true appsecQuery statusCode:403
10.0.0.169 - - [21/Sep/2025:12:25:52 +0000] "GET /?id=%27%20OR%201%3D1-- HTTP/2.0" 403 0 "-" "curl/8.11.1" 61 "next-router@file" "-" 67ms
cscli alert list shows:
So AppSec seems to do what I want. But decisions is empty.
My understanding of this is that there's an alert created based on the AppSec trigger, but no decision is matched. SO nftables will not block anything.
