diff --git a/config/nftables/APKBUILD b/config/nftables/APKBUILD index 0c1ab47..fcf0e9c 100644 --- a/config/nftables/APKBUILD +++ b/config/nftables/APKBUILD @@ -3,7 +3,7 @@ . ../APKBUILD-config.template -pkgver=2022.04.03.05 +pkgver=2022.05.28.02 pkgrel=0 options="!check" # check requires root? diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/dovecot b/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/dovecot index 28929ea..c45181a 100644 --- a/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/dovecot +++ b/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/dovecot @@ -1,2 +1 @@ -tcp dport 143 counter accept; -tcp dport 993 counter accept; +tcp dport { 143, 993 } counter accept; diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/haproxy b/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/haproxy index 0e63193..9aeb20e 100644 --- a/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/haproxy +++ b/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/haproxy @@ -1,3 +1 @@ -tcp dport 80 counter accept; -tcp dport 443 counter accept; -tcp dport 2442 counter accept; # Gitea SSH +tcp dport { 80, 443, 2442 } counter accept; diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/postfix b/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/postfix index 8931ac7..6dd4b62 100644 --- a/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/postfix +++ b/config/nftables/nft/inet/redxenfirewall/filter/input/allowed/postfix @@ -1,3 +1 @@ -tcp dport 25 counter accept; -tcp dport 465 counter accept; -tcp dport 587 counter accept; +tcp dport { 25, 465, 587 } counter accept; diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/blocked/base b/config/nftables/nft/inet/redxenfirewall/filter/input/blocked/base deleted file mode 100644 index e8bd8aa..0000000 --- a/config/nftables/nft/inet/redxenfirewall/filter/input/blocked/base +++ /dev/null @@ -1,3 +0,0 @@ -ct state invalid counter drop; -ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter reject with icmpx type admin-prohibited; -ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter reject with icmpx type admin-prohibited; diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/established/base b/config/nftables/nft/inet/redxenfirewall/filter/input/established/base deleted file mode 100644 index a149b0a..0000000 --- a/config/nftables/nft/inet/redxenfirewall/filter/input/established/base +++ /dev/null @@ -1 +0,0 @@ -ct state related,established counter accept; diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base index 1e80b5e..bbd7ebd 100644 --- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base +++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base @@ -1,9 +1,6 @@ -#iifname "eth0" ct state new meter limit4 { ip saddr ct count over 10 } counter reject; -#iifname "eth0" ct state new meter limit6 { ip6 saddr ct count over 10 } counter reject; - # Ban if connection attempts are still made over the limit -iifname "eth0" ct state new meter ban4 { ip saddr timeout 1h limit rate over 20/minute burst 40 packets } update @blackhole4 { ip saddr timeout 10m } counter reject; -iifname "eth0" ct state new meter ban6 { ip6 saddr timeout 1h limit rate over 20/minute burst 40 packets } update @blackhole6 { ip6 saddr timeout 10m } counter reject; +ct state new meter ban4 { ip saddr timeout 1h limit rate over 1/second burst 10 packets } update @blackhole4 { ip saddr timeout 1h } counter; +ct state new meter ban6 { ip6 saddr timeout 1h limit rate over 1/second burst 10 packets } update @blackhole6 { ip6 saddr timeout 1h } counter; -iifname "eth0" ct state new meter drop4 { ip saddr timeout 5m limit rate over 20/minute } counter reject; -iifname "eth0" ct state new meter drop6 { ip6 saddr timeout 5m limit rate over 20/minute } counter reject; +ct state new meter drop4 { ip saddr timeout 5m limit rate over 1/second } counter reject; +ct state new meter drop6 { ip6 saddr timeout 5m limit rate over 1/second } counter reject; diff --git a/config/nftables/nft/inet/redxenfirewall/filter/input/trusted/base b/config/nftables/nft/inet/redxenfirewall/filter/input/trusted/base deleted file mode 100644 index 5b516c0..0000000 --- a/config/nftables/nft/inet/redxenfirewall/filter/input/trusted/base +++ /dev/null @@ -1,4 +0,0 @@ -iifname "lo" counter accept; # Loopback -iifname "eth1" counter accept; # Private network -icmp type { echo-request } counter accept; -icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept; diff --git a/config/nftables/nft/inet/redxenfirewall/table b/config/nftables/nft/inet/redxenfirewall/table index 4a98fc1..86f5533 100644 --- a/config/nftables/nft/inet/redxenfirewall/table +++ b/config/nftables/nft/inet/redxenfirewall/table @@ -12,12 +12,23 @@ table inet redxenfirewall { chain rxfi { type filter hook input priority 0; - policy drop; - include "inet/redxenfirewall/filter/input/blocked/*"; - include "inet/redxenfirewall/filter/input/trusted/*"; + policy accept; + + ct state invalid counter drop; + ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter reject with icmpx type admin-prohibited; + ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter reject with icmpx type admin-prohibited; + + icmp type { echo-request } counter accept; + icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept; + ct state related,established counter accept; + + iifname "eth0" jump rxfi-extern; + } + + chain rxfi-extern { include "inet/redxenfirewall/filter/input/stateful/*"; include "inet/redxenfirewall/filter/input/allowed/*"; - include "inet/redxenfirewall/filter/input/established/*"; + counter reject with icmpx type admin-prohibited; }