From 1c38c257a931d4e7b8235c59aef39af6b8927688 Mon Sep 17 00:00:00 2001
From: Alex Denes <caskd@redxen.eu>
Date: Fri, 9 Jul 2021 11:00:40 +0000
Subject: [PATCH] Make nftables rules more relaxed and close outbound
 connections early

---
 config/nftables/APKBUILD                                  | 2 +-
 .../nft/inet/redxenfirewall/filter/input/stateful/base    | 4 ++--
 .../nft/inet/redxenfirewall/filter/input/stateful/dovecot | 4 ++--
 .../nft/inet/redxenfirewall/filter/input/stateful/postfix | 4 ++--
 .../nftables/nft/inet/redxenfirewall/filter/output/base   | 2 ++
 config/nftables/nft/inet/redxenfirewall/table             | 8 ++++----
 6 files changed, 13 insertions(+), 11 deletions(-)
 create mode 100644 config/nftables/nft/inet/redxenfirewall/filter/output/base

diff --git a/config/nftables/APKBUILD b/config/nftables/APKBUILD
index 5cf8e10..b9c9a61 100644
--- a/config/nftables/APKBUILD
+++ b/config/nftables/APKBUILD
@@ -3,7 +3,7 @@
 
 . ../APKBUILD-config.template
 
-pkgver=2021.06.20.04
+pkgver=2021.07.04.02
 pkgrel=0
 options="!check" # check requires root?
 
diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
index 565f456..d81a291 100644
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
@@ -1,2 +1,2 @@
-ct state new iifname "eth0" meter global4 { ip  saddr timeout 1m limit rate over 1/second burst 50 packets } add @blackhole4 { ip  saddr } counter;
-ct state new iifname "eth0" meter global6 { ip6 saddr timeout 1m limit rate over 1/second burst 50 packets } add @blackhole6 { ip6 saddr } counter;
+ct state new iifname "eth0" meter global4 { ip  saddr timeout 10m limit rate over 1/second burst 50 packets } update @blackhole4 { ip  saddr } counter;
+ct state new iifname "eth0" meter global6 { ip6 saddr timeout 10m limit rate over 1/second burst 50 packets } update @blackhole6 { ip6 saddr } counter;
diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
index 7ffd846..db9d725 100644
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
@@ -1,2 +1,2 @@
-tcp dport { 143, 993 }  ct state new meter dovecot4 { ip  saddr timeout 1m limit rate over 4/minute burst 10 packets } add @blackhole4 { ip  saddr } counter;
-tcp dport { 143, 993 }  ct state new meter dovecot6 { ip6 saddr timeout 1m limit rate over 4/minute burst 10 packets } add @blackhole6 { ip6 saddr } counter;
+tcp dport { 143, 993 }  ct state new meter dovecot4 { ip  saddr timeout 10m limit rate over 4/minute burst 10 packets } update @blackhole4 { ip  saddr } counter;
+tcp dport { 143, 993 }  ct state new meter dovecot6 { ip6 saddr timeout 10m limit rate over 4/minute burst 10 packets } update @blackhole6 { ip6 saddr } counter;
diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
index 8ce46f2..2bd1049 100644
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
@@ -1,2 +1,2 @@
-tcp dport { 25, 465, 587 }  ct state new meter postfix4 { ip  saddr timeout 1m limit rate over 4/minute burst 20 packets } add @blackhole4 { ip  saddr } counter;
-tcp dport { 25, 465, 587 }  ct state new meter postfix6 { ip6 saddr timeout 1m limit rate over 4/minute burst 20 packets } add @blackhole6 { ip6 saddr } counter;
+tcp dport { 25, 465, 587 }  ct state new meter postfix4 { ip  saddr timeout 10m limit rate over 4/minute burst 20 packets } update @blackhole4 { ip  saddr } counter;
+tcp dport { 25, 465, 587 }  ct state new meter postfix6 { ip6 saddr timeout 10m limit rate over 4/minute burst 20 packets } update @blackhole6 { ip6 saddr } counter;
diff --git a/config/nftables/nft/inet/redxenfirewall/filter/output/base b/config/nftables/nft/inet/redxenfirewall/filter/output/base
new file mode 100644
index 0000000..748c995
--- /dev/null
+++ b/config/nftables/nft/inet/redxenfirewall/filter/output/base
@@ -0,0 +1,2 @@
+ip  daddr @blackhole4 counter reject;
+ip6 daddr @blackhole6 counter reject;
diff --git a/config/nftables/nft/inet/redxenfirewall/table b/config/nftables/nft/inet/redxenfirewall/table
index 23fbafa..1b75c66 100644
--- a/config/nftables/nft/inet/redxenfirewall/table
+++ b/config/nftables/nft/inet/redxenfirewall/table
@@ -2,14 +2,14 @@ table inet redxenfirewall {
 
 	set blackhole4 {
 		type ipv4_addr;
-		timeout 4h;
-		flags timeout;
+		timeout 1h;
+		flags dynamic, timeout;
 	}
 
 	set blackhole6 {
 		type ipv6_addr;
-		timeout 4h;
-		flags timeout;
+		timeout 1h;
+		flags dynamic, timeout;
 	}
 
 	chain rxfi {