Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 11:00:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

use standard style for nftables sets

Browse Source
This commit is contained in:
Daniel Micay 2024-03-24 16:23:54 -04:00
parent 0ac67c38c3
commit 14e9cd5b76
9 changed files with 84 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nftables-attestation.conf
View File

@ -14,16 +14,16 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443} notrack accept tcp dport { 22, 80, 443 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain output-raw { chain output-raw {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport {22, 80, 443} notrack accept tcp sport { 22, 80, 443 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain input { chain input {
@ -31,8 +31,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport { 22, 80, 443 } accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }
@ -50,12 +50,12 @@ table inet filter {
type filter hook output priority filter type filter hook output priority filter
oif lo goto output-internal oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, http, attestation} counter goto output-reject skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto output-reject
} }
chain output-internal { chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != 8080 accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 accept
skuid {chrony, attestation} meta l4proto {tcp, udp} th sport >= 1024 th sport != 8080 th dport 53 accept skuid { chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 accept
skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 accept skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 accept
skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 accept skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 accept

20
nftables-discuss.conf
View File

@ -15,18 +15,18 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# IPv6 interacts badly with IP-based spam filtering # IPv6 interacts badly with IP-based spam filtering
meta nfproto ipv6 tcp dport {80, 443} reject with tcp reset meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset
tcp dport {22, 80, 443} notrack accept tcp dport { 22, 80, 443 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain output-raw { chain output-raw {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport {22, 80, 443} notrack accept tcp sport { 22, 80, 443 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain input { chain input {
@ -34,8 +34,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport { 22, 80, 443 } accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }
@ -53,12 +53,12 @@ table inet filter {
type filter hook output priority filter type filter hook output priority filter
oif lo goto output-internal oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate} counter goto output-reject skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto output-reject
} }
chain output-internal { chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid {chrony, http, flarum, flarum-admin, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid != root counter goto output-reject skuid != root counter goto output-reject
accept accept

18
nftables-mail.conf
View File

@ -14,16 +14,16 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 25, 80, 443, 465, 993} notrack accept tcp dport { 22, 25, 80, 443, 465, 993 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain output-raw { chain output-raw {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport {22, 25, 80, 443, 465, 993} notrack accept tcp sport { 22, 25, 80, 443, 465, 993 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain input { chain input {
@ -31,8 +31,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 25, 80, 443, 465, 993} accept tcp dport { 22, 25, 80, 443, 465, 993 } accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }
@ -50,12 +50,12 @@ table inet filter {
type filter hook output priority filter type filter hook output priority filter
oif lo goto output-internal oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http} counter goto output-reject skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto output-reject
} }
chain output-internal { chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid {chrony, postfix, opendkim, opendmarc, policyd-spf} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid != root counter goto output-reject skuid != root counter goto output-reject
accept accept

18
nftables-matrix.conf
View File

@ -14,16 +14,16 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443} notrack accept tcp dport { 22, 80, 443 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain output-raw { chain output-raw {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport {22, 80, 443} notrack accept tcp sport { 22, 80, 443 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain input { chain input {
@ -31,8 +31,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport { 22, 80, 443 } accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }
@ -50,12 +50,12 @@ table inet filter {
type filter hook output priority filter type filter hook output priority filter
oif lo goto output-internal oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, http, synapse, matterbridge} counter goto output-reject skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto output-reject
} }
chain output-internal { chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != 8008 accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 accept
skuid {chrony, synapse, matterbridge} meta l4proto {tcp, udp} th sport >= 1024 th sport != 8008 th dport 53 accept skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 accept
skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept

18
nftables-network.conf
View File

@ -14,18 +14,18 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443, 7275} notrack accept tcp dport { 22, 80, 443, 7275 } notrack accept
udp dport 123 notrack accept udp dport 123 notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain output-raw { chain output-raw {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport {22, 80, 443, 7275} notrack accept tcp sport { 22, 80, 443, 7275 } notrack accept
udp sport 123 notrack accept udp sport 123 notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain input { chain input {
@ -33,9 +33,9 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443, 7275} accept tcp dport { 22, 80, 443, 7275 } accept
udp dport 123 accept udp dport 123 accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }
@ -53,12 +53,12 @@ table inet filter {
type filter hook output priority filter type filter hook output priority filter
oif lo goto output-internal oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, http} counter goto output-reject skuid != { root, systemd-network, unbound, chrony, http } counter goto output-reject
} }
chain output-internal { chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid {chrony, http} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid != root counter goto output-reject skuid != root counter goto output-reject
accept accept

20
nftables-ns1.conf
View File

@ -15,8 +15,8 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport 53 notrack accept udp dport 53 notrack accept
tcp dport {22, 53, 80, 443, 853} notrack accept tcp dport { 22, 53, 80, 443, 853 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain output-raw { chain output-raw {
@ -24,8 +24,8 @@ table inet filter {
oif lo notrack accept oif lo notrack accept
udp sport 53 notrack accept udp sport 53 notrack accept
tcp sport {22, 53, 80, 443, 853} notrack accept tcp sport { 22, 53, 80, 443, 853 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain input { chain input {
@ -34,8 +34,8 @@ table inet filter {
iif lo accept iif lo accept
udp dport 53 accept udp dport 53 accept
tcp dport {22, 53, 80, 443, 853} accept tcp dport { 22, 53, 80, 443, 853 } accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }
@ -53,15 +53,15 @@ table inet filter {
type filter hook output priority filter type filter hook output priority filter
oif lo goto output-internal oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, http, powerdns, geoipupdate} counter goto output-reject skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto output-reject
} }
chain output-internal { chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept
skuid http meta l4proto {tcp, udp} th sport >= 1024 th dport 54 accept skuid http meta l4proto { tcp, udp } th sport >= 1024 th dport 54 accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept

20
nftables-ns2.conf
View File

@ -18,8 +18,8 @@ table inet filter {
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
udp dport 53 notrack accept udp dport 53 notrack accept
tcp dport {22, 53, 80, 443, 853} notrack accept tcp dport { 22, 53, 80, 443, 853 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain output-raw { chain output-raw {
@ -27,8 +27,8 @@ table inet filter {
oif lo notrack accept oif lo notrack accept
udp sport 53 notrack accept udp sport 53 notrack accept
tcp sport {22, 53, 80, 443, 853} notrack accept tcp sport { 22, 53, 80, 443, 853 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain input { chain input {
@ -37,8 +37,8 @@ table inet filter {
iif lo accept iif lo accept
udp dport 53 accept udp dport 53 accept
tcp dport {22, 53, 80, 443, 853} accept tcp dport { 22, 53, 80, 443, 853 } accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }
@ -56,15 +56,15 @@ table inet filter {
type filter hook output priority filter type filter hook output priority filter
oif lo goto output-internal oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, http, powerdns, geoipupdate} counter goto output-reject skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto output-reject
} }
chain output-internal { chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept
skuid http meta l4proto {tcp, udp} th sport >= 1024 th dport 54 accept skuid http meta l4proto { tcp, udp } th sport >= 1024 th dport 54 accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept

18
nftables-social.conf
View File

@ -14,16 +14,16 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443} notrack accept tcp dport { 22, 80, 443 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain output-raw { chain output-raw {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport {22, 80, 443} notrack accept tcp sport { 22, 80, 443 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain input { chain input {
@ -31,8 +31,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport { 22, 80, 443 } accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }
@ -50,12 +50,12 @@ table inet filter {
type filter hook output priority filter type filter hook output priority filter
oif lo goto output-internal oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, http, mastodon} counter goto output-reject skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto output-reject
} }
chain output-internal { chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid {chrony, mastodon} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept skuid { chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid postgres udp sport >= 1024 udp dport >= 1024 accept skuid postgres udp sport >= 1024 udp dport >= 1024 accept

18
nftables-web.conf
View File

@ -14,16 +14,16 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443} notrack accept tcp dport { 22, 80, 443 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain output-raw { chain output-raw {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport {22, 80, 443} notrack accept tcp sport { 22, 80, 443 } notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
chain input { chain input {
@ -31,8 +31,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport { 22, 80, 443 } accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }
@ -50,12 +50,12 @@ table inet filter {
type filter hook output priority filter type filter hook output priority filter
oif lo goto output-internal oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, http} counter goto output-reject skuid != { root, systemd-network, unbound, chrony, http } counter goto output-reject
} }
chain output-internal { chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid chrony meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid != root counter goto output-reject skuid != root counter goto output-reject
accept accept