Fix wireguard clients being able to connect to local ports
This commit is contained in:
parent
1cdcbc9635
commit
8110e94e89
|
@ -3,7 +3,7 @@
|
|||
|
||||
. ../APKBUILD-config.template
|
||||
|
||||
pkgver=2023.05.24.01
|
||||
pkgver=2023.08.09.04
|
||||
pkgrel=0
|
||||
options="!check" # check requires root?
|
||||
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
# Ban if connection attempts are still made over the limit
|
||||
ct state new meter ban4 { ip saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole4 { ip saddr timeout 1h } counter reject;
|
||||
ct state new meter ban6 { ip6 saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole6 { ip6 saddr timeout 1h } counter reject;
|
||||
iifname "eth0" ct state new meter ban4 { ip saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole4 { ip saddr timeout 1h } counter reject;
|
||||
iifname "eth0" ct state new meter ban6 { ip6 saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole6 { ip6 saddr timeout 1h } counter reject;
|
||||
|
|
|
@ -12,7 +12,7 @@ table inet redxenfirewall {
|
|||
|
||||
chain rxfi {
|
||||
type filter hook input priority 0;
|
||||
policy accept;
|
||||
policy drop;
|
||||
|
||||
ct state invalid counter drop;
|
||||
ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
||||
|
@ -22,7 +22,8 @@ table inet redxenfirewall {
|
|||
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept;
|
||||
ct state related,established counter accept;
|
||||
|
||||
iifname "eth0" jump rxfi-extern;
|
||||
iifname {"lo", "eth1"} counter accept;
|
||||
jump rxfi-extern;
|
||||
}
|
||||
|
||||
chain rxfi-extern {
|
||||
|
|
Loading…
Reference in New Issue