nftables: explain synproxy bypass rate limit

2025-01-03 11:00:49 -05:00 · 2024-04-11 09:56:30 -04:00 · 2024-04-11 09:56:30 -04:00 · 26a58b2492
commit 26a58b2492
parent ecd14bddff
9 changed files with 20 additions and 0 deletions
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@ -44,8 +44,10 @@ table inet filter {
        # ordered after accepting loopback to permit using external IPs via loopback
        fib daddr . iif type != { local, broadcast, multicast } counter drop
        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@ -44,8 +44,10 @@ table inet filter {
        # ordered after accepting loopback to permit using external IPs via loopback
        fib daddr . iif type != { local, broadcast, multicast } counter drop
        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@ -44,8 +44,10 @@ table inet filter {
        # ordered after accepting loopback to permit using external IPs via loopback
        fib daddr . iif type != { local, broadcast, multicast } counter drop
        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@ -44,8 +44,10 @@ table inet filter {
        # ordered after accepting loopback to permit using external IPs via loopback
        fib daddr . iif type != { local, broadcast, multicast } counter drop
        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-network.conf
+++ b/nftables-network.conf
@ -46,8 +46,10 @@ table inet filter {
        # ordered after accepting loopback to permit using external IPs via loopback
        fib daddr . iif type != { local, broadcast, multicast } counter drop
        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
        udp dport 123 notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@ -45,8 +45,11 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop
        udp dport 53 notrack accept
        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@ -50,8 +50,11 @@ table inet filter {
        tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
        udp dport 53 notrack accept
        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-social.conf
+++ b/nftables-social.conf
@ -44,8 +44,10 @@ table inet filter {
        # ordered after accepting loopback to permit using external IPs via loopback
        fib daddr . iif type != { local, broadcast, multicast } counter drop
        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-web.conf
+++ b/nftables-web.conf
@ -48,8 +48,10 @@ table inet filter {
        # ordered after accepting loopback to permit using external IPs via loopback
        fib daddr . iif type != { local, broadcast, multicast } counter drop
        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }