Enable dropping packets if connections are reopened even after drops, fix timeouts
This commit is contained in:
parent
8f58005433
commit
a19423010d
@ -3,7 +3,7 @@
|
||||
|
||||
. ../APKBUILD-config.template
|
||||
|
||||
pkgver=2022.04.02.08
|
||||
pkgver=2022.04.03.01
|
||||
pkgrel=0
|
||||
options="!check" # check requires root?
|
||||
|
||||
|
@ -1,5 +1,3 @@
|
||||
ct state invalid counter drop;
|
||||
ip saddr @blackhole4 update @blackhole4 { ip saddr } counter;
|
||||
ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr } counter;
|
||||
ip saddr @blackhole4 counter drop;
|
||||
ip6 saddr @blackhole6 counter drop;
|
||||
ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter drop;
|
||||
ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter drop;
|
||||
|
@ -1,5 +1,9 @@
|
||||
#iifname "eth0" ct state new meter limit4 { ip saddr ct count over 10 } counter reject;
|
||||
#iifname "eth0" ct state new meter limit6 { ip6 saddr ct count over 10 } counter reject;
|
||||
|
||||
iifname "eth0" ct state new meter global4 { ip saddr timeout 2h limit rate over 20/minute burst 60 packets } update @blackhole4 { ip saddr } counter;
|
||||
iifname "eth0" ct state new meter global6 { ip6 saddr timeout 2h limit rate over 20/minute burst 60 packets } update @blackhole6 { ip6 saddr } counter;
|
||||
# Ban if connection attempts are still made over the limit
|
||||
iifname "eth0" ct state new meter ban4 { ip saddr timeout 10m limit rate over 1/second burst 30 packets } update @blackhole4 { ip saddr timeout 10m } counter drop;
|
||||
iifname "eth0" ct state new meter ban6 { ip6 saddr timeout 10m limit rate over 1/second burst 30 packets } update @blackhole6 { ip6 saddr timeout 10m } counter drop;
|
||||
|
||||
iifname "eth0" ct state new meter drop4 { ip saddr timeout 10m limit rate over 1/second } counter drop;
|
||||
iifname "eth0" ct state new meter drop6 { ip6 saddr timeout 10m limit rate over 1/second } counter drop;
|
||||
|
Loading…
Reference in New Issue
Block a user