From 01f7a89269d54f68e8b3f6cb72c719006dddd2b9 Mon Sep 17 00:00:00 2001
From: Alex Denes <caskd@redxen.eu>
Date: Fri, 17 Jun 2022 15:27:27 +0000
Subject: [PATCH] Use generic ratelimiter and relax limit

---
 config/nftables/APKBUILD                                   | 2 +-
 .../nft/inet/redxenfirewall/filter/input/stateful/base     | 7 ++-----
 .../nft/inet/redxenfirewall/filter/input/stateful/dovecot  | 2 --
 .../nft/inet/redxenfirewall/filter/input/stateful/postfix  | 2 --
 4 files changed, 3 insertions(+), 10 deletions(-)
 delete mode 100644 config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
 delete mode 100644 config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix

diff --git a/config/nftables/APKBUILD b/config/nftables/APKBUILD
index 8587d6a..38bc408 100644
--- a/config/nftables/APKBUILD
+++ b/config/nftables/APKBUILD
@@ -3,7 +3,7 @@
 
 . ../APKBUILD-config.template
 
-pkgver=2022.06.07.01
+pkgver=2022.06.17.01
 pkgrel=0
 options="!check" # check requires root?
 
diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
index 387f28d..91c2e7b 100644
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
@@ -1,6 +1,3 @@
 # Ban if connection attempts are still made over the limit
-ct state new meter ban4  { ip  saddr timeout 10m limit rate over 1/second burst 50 packets } update @blackhole4 { ip  saddr timeout 1h } counter;
-ct state new meter ban6  { ip6 saddr timeout 10m limit rate over 1/second burst 50 packets } update @blackhole6 { ip6 saddr timeout 1h } counter;
-
-ct state new meter drop4 { ip  saddr timeout 10m limit rate over 1/second } counter reject;
-ct state new meter drop6 { ip6 saddr timeout 10m limit rate over 1/second } counter reject;
+ct state new meter ban4  { ip  saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole4 { ip  saddr timeout 1h } counter reject;
+ct state new meter ban6  { ip6 saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole6 { ip6 saddr timeout 1h } counter reject;
diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
deleted file mode 100644
index 60b6f13..0000000
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
+++ /dev/null
@@ -1,2 +0,0 @@
-tcp dport { 143, 993 } ct state new meter dovecot4 { ip  saddr timeout 1h limit rate over 2/minute burst 20 packets } update @blackhole4 { ip  saddr timeout 1h } counter;
-tcp dport { 143, 993 } ct state new meter dovecot6 { ip6 saddr timeout 1h limit rate over 2/minute burst 20 packets } update @blackhole6 { ip6 saddr timeout 1h } counter;
diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
deleted file mode 100644
index 5296170..0000000
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
+++ /dev/null
@@ -1,2 +0,0 @@
-tcp dport { 25, 465, 587 } ct state new meter postfix4 { ip  saddr timeout 1h limit rate over 2/minute burst 20 packets } update @blackhole4 { ip  saddr timeout 1h } counter;
-tcp dport { 25, 465, 587 } ct state new meter postfix6 { ip6 saddr timeout 1h limit rate over 2/minute burst 20 packets } update @blackhole6 { ip6 saddr timeout 1h } counter;