Reorganize nftables and relax stateful firewall

2022-05-28 14:38:55 +00:00 · 2022-05-28 14:38:55 +00:00 · 55707c2e84
parent 3e3c7afbd7
commit 55707c2e84
9 changed files with 23 additions and 28 deletions
--- a/config/nftables/APKBUILD
+++ b/config/nftables/APKBUILD
@ -3,7 +3,7 @@

 . ../APKBUILD-config.template

-pkgver=2022.04.03.05
+pkgver=2022.05.28.02
 pkgrel=0
 options="!check" # check requires root?

--- a/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/dovecot
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/dovecot
@ -1,2 +1 @@
-tcp dport 143 counter accept;
-tcp dport 993 counter accept;
+tcp dport { 143, 993 } counter accept;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/haproxy
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/haproxy
@ -1,3 +1 @@
-tcp dport 80   counter accept;
-tcp dport 443  counter accept;
-tcp dport 2442 counter accept; # Gitea SSH
+tcp dport { 80, 443, 2442 } counter accept;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/postfix
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/postfix
@ -1,3 +1 @@
-tcp dport 25  counter accept;
-tcp dport 465 counter accept;
-tcp dport 587 counter accept;
+tcp dport { 25, 465, 587 } counter accept;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/blocked/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/blocked/base
@ -1,3 +0,0 @@
-ct state invalid counter drop;
-ip  saddr @blackhole4 update @blackhole4 { ip  saddr timeout 1h } counter reject with icmpx type admin-prohibited;
-ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter reject with icmpx type admin-prohibited;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/established/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/established/base
@ -1 +0,0 @@
-ct state related,established counter accept;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
@ -1,9 +1,6 @@
-#iifname "eth0" ct state new meter limit4  { ip  saddr ct count over 10 } counter reject;
-#iifname "eth0" ct state new meter limit6  { ip6 saddr ct count over 10 } counter reject;
-
 # Ban if connection attempts are still made over the limit
-iifname "eth0" ct state new meter ban4  { ip  saddr timeout 1h limit rate over 20/minute burst 40 packets } update @blackhole4 { ip  saddr timeout 10m } counter reject;
-iifname "eth0" ct state new meter ban6  { ip6 saddr timeout 1h limit rate over 20/minute burst 40 packets } update @blackhole6 { ip6 saddr timeout 10m } counter reject;
+ct state new meter ban4  { ip  saddr timeout 1h limit rate over 1/second burst 10 packets } update @blackhole4 { ip  saddr timeout 1h } counter;
+ct state new meter ban6  { ip6 saddr timeout 1h limit rate over 1/second burst 10 packets } update @blackhole6 { ip6 saddr timeout 1h } counter;

-iifname "eth0" ct state new meter drop4 { ip  saddr timeout 5m limit rate over 20/minute } counter reject;
-iifname "eth0" ct state new meter drop6 { ip6 saddr timeout 5m limit rate over 20/minute } counter reject;
+ct state new meter drop4 { ip  saddr timeout 5m limit rate over 1/second } counter reject;
+ct state new meter drop6 { ip6 saddr timeout 5m limit rate over 1/second } counter reject;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/trusted/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/trusted/base
@ -1,4 +0,0 @@
-iifname "lo"                                                                            counter accept; # Loopback
-iifname "eth1"                                                                          counter accept; # Private network
-icmp type { echo-request }                                                              counter accept;
-icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept;
--- a/config/nftables/nft/inet/redxenfirewall/table
+++ b/config/nftables/nft/inet/redxenfirewall/table
@ -12,12 +12,23 @@ table inet redxenfirewall {

 	chain rxfi {
 		type filter hook input priority 0;
-		policy drop;
-		include "inet/redxenfirewall/filter/input/blocked/*";
-		include "inet/redxenfirewall/filter/input/trusted/*";
+		policy accept;
+
+		ct state invalid counter drop;
+		ip  saddr @blackhole4 update @blackhole4 { ip  saddr timeout 1h } counter reject with icmpx type admin-prohibited;
+		ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter reject with icmpx type admin-prohibited;
+
+		icmp type { echo-request }                                                              counter accept;
+		icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept;
+		ct state related,established counter accept;
+
+		iifname "eth0" jump rxfi-extern;
+	}
+
+	chain rxfi-extern {
 		include "inet/redxenfirewall/filter/input/stateful/*";
 		include "inet/redxenfirewall/filter/input/allowed/*";
-		include "inet/redxenfirewall/filter/input/established/*";
+
 		counter reject with icmpx type admin-prohibited;
 	}
				`@ -1 +0,0 @@`
				`ct state related,established counter accept;`