Tighten score thresholds

Use generic ratelimiter and relax limit
2022-06-17 15:27:47 +00:00 · 2022-06-17 15:27:27 +00:00
6 changed files with 7 additions and 14 deletions
--- a/config/nftables/APKBUILD
+++ b/config/nftables/APKBUILD
@ -3,7 +3,7 @@

 . ../APKBUILD-config.template

-pkgver=2022.06.07.01
+pkgver=2022.06.17.01
 pkgrel=0
 options="!check" # check requires root?

--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
@ -1,6 +1,3 @@
 # Ban if connection attempts are still made over the limit
-ct state new meter ban4  { ip  saddr timeout 10m limit rate over 1/second burst 50 packets } update @blackhole4 { ip  saddr timeout 1h } counter;
-ct state new meter ban6  { ip6 saddr timeout 10m limit rate over 1/second burst 50 packets } update @blackhole6 { ip6 saddr timeout 1h } counter;
-
-ct state new meter drop4 { ip  saddr timeout 10m limit rate over 1/second } counter reject;
-ct state new meter drop6 { ip6 saddr timeout 10m limit rate over 1/second } counter reject;
+ct state new meter ban4  { ip  saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole4 { ip  saddr timeout 1h } counter reject;
+ct state new meter ban6  { ip6 saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole6 { ip6 saddr timeout 1h } counter reject;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
@ -1,2 +0,0 @@
-tcp dport { 143, 993 } ct state new meter dovecot4 { ip  saddr timeout 1h limit rate over 2/minute burst 20 packets } update @blackhole4 { ip  saddr timeout 1h } counter;
-tcp dport { 143, 993 } ct state new meter dovecot6 { ip6 saddr timeout 1h limit rate over 2/minute burst 20 packets } update @blackhole6 { ip6 saddr timeout 1h } counter;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
@ -1,2 +0,0 @@
-tcp dport { 25, 465, 587 } ct state new meter postfix4 { ip  saddr timeout 1h limit rate over 2/minute burst 20 packets } update @blackhole4 { ip  saddr timeout 1h } counter;
-tcp dport { 25, 465, 587 } ct state new meter postfix6 { ip6 saddr timeout 1h limit rate over 2/minute burst 20 packets } update @blackhole6 { ip6 saddr timeout 1h } counter;
--- a/config/rspamd/APKBUILD
+++ b/config/rspamd/APKBUILD
@ -3,7 +3,7 @@

 . ../APKBUILD-config.template

-pkgver=2022.05.28.01
+pkgver=2022.06.17.01
 pkgrel=0
 _baseconf="
 	rspamd.conf
@ -83,7 +83,7 @@ _module() {
 }

 sha512sums="
-e697ed4add5374540a2564f41584cf39cb513a452674cb1dd43f50e5b81fc2ca735d54c0bc35ccab3a741995d1806d6be0cc0a7e90bb53c430e9fb8265588470  rspamd.conf
+d8cdf558d17dd40b3875901a13fd8267f4a429bfedb4ada3267bd4e38263e773151e02be2f8f118aa23c6021ab872417b22d80c40567acab6705fb6275328dbc  rspamd.conf
 e01ab4f8c4806692f295c2a8ea18828a9df6a011c2e57d6020a325bfd23a3b2d933f8ecc0ab4c49cebf931718aecb58cf288852a036bd828d9da79ebc132ed14  composites.conf
 99d6b2b173ac5b62977562bb3f2d04cf29d3d94329a4b2abc120e6cca6da79d5ac2a35a16832f62b8e1fed331b6724f21b5e1aab076bd3c57b28b2261302238a  logging.conf
 e40a35928fe429c98301a4fd25d6fb71801ad0a78fa244423726df0bf069950756c77a1d03c77b8dcdae8eda27d3dd95ab67964fad005b90547fafb12718c28d  statistic.conf
--- a/config/rspamd/rspamd.conf
+++ b/config/rspamd/rspamd.conf
@ -71,6 +71,6 @@ options {

 actions {
 	reject = 150;
-	add_header = 5;
-	greylist = 1;
+	add_header = 2;
+	greylist = 0;
 }
Author	SHA1	Message	Date
Alex D.	c245e33fb9	Tighten score thresholds	2022-06-17 15:27:47 +00:00
Alex D.	01f7a89269	Use generic ratelimiter and relax limit	2022-06-17 15:27:27 +00:00