Make nftables rules more relaxed and close outbound connections early
This commit is contained in:
parent
fd4a6252f0
commit
1c38c257a9
|
@ -3,7 +3,7 @@
|
|||
|
||||
. ../APKBUILD-config.template
|
||||
|
||||
pkgver=2021.06.20.04
|
||||
pkgver=2021.07.04.02
|
||||
pkgrel=0
|
||||
options="!check" # check requires root?
|
||||
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
ct state new iifname "eth0" meter global4 { ip saddr timeout 1m limit rate over 1/second burst 50 packets } add @blackhole4 { ip saddr } counter;
|
||||
ct state new iifname "eth0" meter global6 { ip6 saddr timeout 1m limit rate over 1/second burst 50 packets } add @blackhole6 { ip6 saddr } counter;
|
||||
ct state new iifname "eth0" meter global4 { ip saddr timeout 10m limit rate over 1/second burst 50 packets } update @blackhole4 { ip saddr } counter;
|
||||
ct state new iifname "eth0" meter global6 { ip6 saddr timeout 10m limit rate over 1/second burst 50 packets } update @blackhole6 { ip6 saddr } counter;
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
tcp dport { 143, 993 } ct state new meter dovecot4 { ip saddr timeout 1m limit rate over 4/minute burst 10 packets } add @blackhole4 { ip saddr } counter;
|
||||
tcp dport { 143, 993 } ct state new meter dovecot6 { ip6 saddr timeout 1m limit rate over 4/minute burst 10 packets } add @blackhole6 { ip6 saddr } counter;
|
||||
tcp dport { 143, 993 } ct state new meter dovecot4 { ip saddr timeout 10m limit rate over 4/minute burst 10 packets } update @blackhole4 { ip saddr } counter;
|
||||
tcp dport { 143, 993 } ct state new meter dovecot6 { ip6 saddr timeout 10m limit rate over 4/minute burst 10 packets } update @blackhole6 { ip6 saddr } counter;
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
tcp dport { 25, 465, 587 } ct state new meter postfix4 { ip saddr timeout 1m limit rate over 4/minute burst 20 packets } add @blackhole4 { ip saddr } counter;
|
||||
tcp dport { 25, 465, 587 } ct state new meter postfix6 { ip6 saddr timeout 1m limit rate over 4/minute burst 20 packets } add @blackhole6 { ip6 saddr } counter;
|
||||
tcp dport { 25, 465, 587 } ct state new meter postfix4 { ip saddr timeout 10m limit rate over 4/minute burst 20 packets } update @blackhole4 { ip saddr } counter;
|
||||
tcp dport { 25, 465, 587 } ct state new meter postfix6 { ip6 saddr timeout 10m limit rate over 4/minute burst 20 packets } update @blackhole6 { ip6 saddr } counter;
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
ip daddr @blackhole4 counter reject;
|
||||
ip6 daddr @blackhole6 counter reject;
|
|
@ -2,14 +2,14 @@ table inet redxenfirewall {
|
|||
|
||||
set blackhole4 {
|
||||
type ipv4_addr;
|
||||
timeout 4h;
|
||||
flags timeout;
|
||||
timeout 1h;
|
||||
flags dynamic, timeout;
|
||||
}
|
||||
|
||||
set blackhole6 {
|
||||
type ipv6_addr;
|
||||
timeout 4h;
|
||||
flags timeout;
|
||||
timeout 1h;
|
||||
flags dynamic, timeout;
|
||||
}
|
||||
|
||||
chain rxfi {
|
||||
|
|
Loading…
Reference in New Issue