Switch to reject and lower burst

2022-04-03 20:24:11 +00:00 · 2022-04-03 20:24:11 +00:00 · 62169a0990
parent f958cb11ec
commit 62169a0990
2 changed files with 5 additions and 5 deletions
--- a/config/nftables/APKBUILD
+++ b/config/nftables/APKBUILD
@ -3,7 +3,7 @@

 . ../APKBUILD-config.template

-pkgver=2022.04.03.02
+pkgver=2022.04.03.04
 pkgrel=0
 options="!check" # check requires root?

--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
@ -2,8 +2,8 @@
 #iifname "eth0" ct state new meter limit6  { ip6 saddr ct count over 10 } counter reject;

 # Ban if connection attempts are still made over the limit
-iifname "eth0" ct state new meter ban4  { ip  saddr timeout 10m limit rate over 1/second burst 30 packets } update @blackhole4 { ip  saddr timeout 10m } counter drop;
-iifname "eth0" ct state new meter ban6  { ip6 saddr timeout 10m limit rate over 1/second burst 30 packets } update @blackhole6 { ip6 saddr timeout 10m } counter drop;
+iifname "eth0" ct state new meter ban4  { ip  saddr timeout 10m limit rate over 1/second burst 20 packets } update @blackhole4 { ip  saddr timeout 10m } counter reject;
+iifname "eth0" ct state new meter ban6  { ip6 saddr timeout 10m limit rate over 1/second burst 20 packets } update @blackhole6 { ip6 saddr timeout 10m } counter reject;

-iifname "eth0" ct state new meter drop4 { ip  saddr timeout 10m limit rate over 1/second } counter drop;
-iifname "eth0" ct state new meter drop6 { ip6 saddr timeout 10m limit rate over 1/second } counter drop;
+iifname "eth0" ct state new meter drop4 { ip  saddr timeout 10m limit rate over 1/second } counter reject;
+iifname "eth0" ct state new meter drop6 { ip6 saddr timeout 10m limit rate over 1/second } counter reject;