Make nftables rules more relaxed and close outbound connections early

2021-07-09 11:00:40 +00:00 · 2021-07-09 11:00:40 +00:00 · 1c38c257a9
parent fd4a6252f0
commit 1c38c257a9
6 changed files with 13 additions and 11 deletions
--- a/config/nftables/APKBUILD
+++ b/config/nftables/APKBUILD
@ -3,7 +3,7 @@

 . ../APKBUILD-config.template

-pkgver=2021.06.20.04
+pkgver=2021.07.04.02
 pkgrel=0
 options="!check" # check requires root?

--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
@ -1,2 +1,2 @@
-ct state new iifname "eth0" meter global4 { ip  saddr timeout 1m limit rate over 1/second burst 50 packets } add @blackhole4 { ip  saddr } counter;
-ct state new iifname "eth0" meter global6 { ip6 saddr timeout 1m limit rate over 1/second burst 50 packets } add @blackhole6 { ip6 saddr } counter;
+ct state new iifname "eth0" meter global4 { ip  saddr timeout 10m limit rate over 1/second burst 50 packets } update @blackhole4 { ip  saddr } counter;
+ct state new iifname "eth0" meter global6 { ip6 saddr timeout 10m limit rate over 1/second burst 50 packets } update @blackhole6 { ip6 saddr } counter;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
@ -1,2 +1,2 @@
-tcp dport { 143, 993 }  ct state new meter dovecot4 { ip  saddr timeout 1m limit rate over 4/minute burst 10 packets } add @blackhole4 { ip  saddr } counter;
-tcp dport { 143, 993 }  ct state new meter dovecot6 { ip6 saddr timeout 1m limit rate over 4/minute burst 10 packets } add @blackhole6 { ip6 saddr } counter;
+tcp dport { 143, 993 }  ct state new meter dovecot4 { ip  saddr timeout 10m limit rate over 4/minute burst 10 packets } update @blackhole4 { ip  saddr } counter;
+tcp dport { 143, 993 }  ct state new meter dovecot6 { ip6 saddr timeout 10m limit rate over 4/minute burst 10 packets } update @blackhole6 { ip6 saddr } counter;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
@ -1,2 +1,2 @@
-tcp dport { 25, 465, 587 }  ct state new meter postfix4 { ip  saddr timeout 1m limit rate over 4/minute burst 20 packets } add @blackhole4 { ip  saddr } counter;
-tcp dport { 25, 465, 587 }  ct state new meter postfix6 { ip6 saddr timeout 1m limit rate over 4/minute burst 20 packets } add @blackhole6 { ip6 saddr } counter;
+tcp dport { 25, 465, 587 }  ct state new meter postfix4 { ip  saddr timeout 10m limit rate over 4/minute burst 20 packets } update @blackhole4 { ip  saddr } counter;
+tcp dport { 25, 465, 587 }  ct state new meter postfix6 { ip6 saddr timeout 10m limit rate over 4/minute burst 20 packets } update @blackhole6 { ip6 saddr } counter;
--- a/config/nftables/nft/inet/redxenfirewall/filter/output/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/output/base
@ -0,0 +1,2 @@
+ip  daddr @blackhole4 counter reject;
+ip6 daddr @blackhole6 counter reject;
--- a/config/nftables/nft/inet/redxenfirewall/table
+++ b/config/nftables/nft/inet/redxenfirewall/table
@ -2,14 +2,14 @@ table inet redxenfirewall {

 	set blackhole4 {
 		type ipv4_addr;
-		timeout 4h;
-		flags timeout;
+		timeout 1h;
+		flags dynamic, timeout;
 	}

 	set blackhole6 {
 		type ipv6_addr;
-		timeout 4h;
-		flags timeout;
+		timeout 1h;
+		flags dynamic, timeout;
 	}

 	chain rxfi {