Reorganize nftables and relax stateful firewall
This commit is contained in:
parent
3e3c7afbd7
commit
55707c2e84
|
@ -3,7 +3,7 @@
|
|||
|
||||
. ../APKBUILD-config.template
|
||||
|
||||
pkgver=2022.04.03.05
|
||||
pkgver=2022.05.28.02
|
||||
pkgrel=0
|
||||
options="!check" # check requires root?
|
||||
|
||||
|
|
|
@ -1,2 +1 @@
|
|||
tcp dport 143 counter accept;
|
||||
tcp dport 993 counter accept;
|
||||
tcp dport { 143, 993 } counter accept;
|
||||
|
|
|
@ -1,3 +1 @@
|
|||
tcp dport 80 counter accept;
|
||||
tcp dport 443 counter accept;
|
||||
tcp dport 2442 counter accept; # Gitea SSH
|
||||
tcp dport { 80, 443, 2442 } counter accept;
|
||||
|
|
|
@ -1,3 +1 @@
|
|||
tcp dport 25 counter accept;
|
||||
tcp dport 465 counter accept;
|
||||
tcp dport 587 counter accept;
|
||||
tcp dport { 25, 465, 587 } counter accept;
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
ct state invalid counter drop;
|
||||
ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
||||
ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
|
@ -1 +0,0 @@
|
|||
ct state related,established counter accept;
|
|
@ -1,9 +1,6 @@
|
|||
#iifname "eth0" ct state new meter limit4 { ip saddr ct count over 10 } counter reject;
|
||||
#iifname "eth0" ct state new meter limit6 { ip6 saddr ct count over 10 } counter reject;
|
||||
|
||||
# Ban if connection attempts are still made over the limit
|
||||
iifname "eth0" ct state new meter ban4 { ip saddr timeout 1h limit rate over 20/minute burst 40 packets } update @blackhole4 { ip saddr timeout 10m } counter reject;
|
||||
iifname "eth0" ct state new meter ban6 { ip6 saddr timeout 1h limit rate over 20/minute burst 40 packets } update @blackhole6 { ip6 saddr timeout 10m } counter reject;
|
||||
ct state new meter ban4 { ip saddr timeout 1h limit rate over 1/second burst 10 packets } update @blackhole4 { ip saddr timeout 1h } counter;
|
||||
ct state new meter ban6 { ip6 saddr timeout 1h limit rate over 1/second burst 10 packets } update @blackhole6 { ip6 saddr timeout 1h } counter;
|
||||
|
||||
iifname "eth0" ct state new meter drop4 { ip saddr timeout 5m limit rate over 20/minute } counter reject;
|
||||
iifname "eth0" ct state new meter drop6 { ip6 saddr timeout 5m limit rate over 20/minute } counter reject;
|
||||
ct state new meter drop4 { ip saddr timeout 5m limit rate over 1/second } counter reject;
|
||||
ct state new meter drop6 { ip6 saddr timeout 5m limit rate over 1/second } counter reject;
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
iifname "lo" counter accept; # Loopback
|
||||
iifname "eth1" counter accept; # Private network
|
||||
icmp type { echo-request } counter accept;
|
||||
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept;
|
|
@ -12,12 +12,23 @@ table inet redxenfirewall {
|
|||
|
||||
chain rxfi {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
include "inet/redxenfirewall/filter/input/blocked/*";
|
||||
include "inet/redxenfirewall/filter/input/trusted/*";
|
||||
policy accept;
|
||||
|
||||
ct state invalid counter drop;
|
||||
ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
||||
ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
||||
|
||||
icmp type { echo-request } counter accept;
|
||||
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept;
|
||||
ct state related,established counter accept;
|
||||
|
||||
iifname "eth0" jump rxfi-extern;
|
||||
}
|
||||
|
||||
chain rxfi-extern {
|
||||
include "inet/redxenfirewall/filter/input/stateful/*";
|
||||
include "inet/redxenfirewall/filter/input/allowed/*";
|
||||
include "inet/redxenfirewall/filter/input/established/*";
|
||||
|
||||
counter reject with icmpx type admin-prohibited;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue