From 27bd153454f6d8b452b36f2df964a0153c7efd0a Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 25 Jul 2024 23:13:29 -0400 Subject: [PATCH] nftables: use allowlist for ICMP types --- nftables/nftables-attestation.conf | 3 ++- nftables/nftables-discuss.conf | 3 ++- nftables/nftables-mail.conf | 3 ++- nftables/nftables-matrix.conf | 3 ++- nftables/nftables-network.conf | 3 ++- nftables/nftables-ns1.conf | 3 ++- nftables/nftables-ns2.conf | 3 ++- nftables/nftables-social.conf | 3 ++- nftables/nftables-web.conf | 3 ++- 9 files changed, 18 insertions(+), 9 deletions(-) diff --git a/nftables/nftables-attestation.conf b/nftables/nftables-attestation.conf index 0d6eecb..a6cf4eb 100644 --- a/nftables/nftables-attestation.conf +++ b/nftables/nftables-attestation.conf @@ -41,7 +41,8 @@ table inet filter { tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept meta l4proto { tcp, udp } accept - meta l4proto { icmp, ipv6-icmp } notrack accept + icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept + meta l4proto ipv6-icmp notrack accept } chain input { diff --git a/nftables/nftables-discuss.conf b/nftables/nftables-discuss.conf index dbbaa95..3495321 100644 --- a/nftables/nftables-discuss.conf +++ b/nftables/nftables-discuss.conf @@ -41,7 +41,8 @@ table inet filter { tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept meta l4proto { tcp, udp } accept - meta l4proto { icmp, ipv6-icmp } notrack accept + icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept + meta l4proto ipv6-icmp notrack accept } chain input { diff --git a/nftables/nftables-mail.conf b/nftables/nftables-mail.conf index 250ae2d..2d3287b 100644 --- a/nftables/nftables-mail.conf +++ b/nftables/nftables-mail.conf @@ -53,7 +53,8 @@ table inet filter { tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept meta l4proto { tcp, udp } accept - meta l4proto { icmp, ipv6-icmp } notrack accept + icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept + meta l4proto ipv6-icmp notrack accept } chain input { diff --git a/nftables/nftables-matrix.conf b/nftables/nftables-matrix.conf index 08ee37c..135b66a 100644 --- a/nftables/nftables-matrix.conf +++ b/nftables/nftables-matrix.conf @@ -41,7 +41,8 @@ table inet filter { tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept meta l4proto { tcp, udp } accept - meta l4proto { icmp, ipv6-icmp } notrack accept + icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept + meta l4proto ipv6-icmp notrack accept } chain input { diff --git a/nftables/nftables-network.conf b/nftables/nftables-network.conf index 03e8b19..c501a65 100644 --- a/nftables/nftables-network.conf +++ b/nftables/nftables-network.conf @@ -51,7 +51,8 @@ table inet filter { udp dport 123 notrack accept meta l4proto { tcp, udp } accept - meta l4proto { icmp, ipv6-icmp } notrack accept + icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept + meta l4proto ipv6-icmp notrack accept } chain input { diff --git a/nftables/nftables-ns1.conf b/nftables/nftables-ns1.conf index 892f20c..c076b5b 100644 --- a/nftables/nftables-ns1.conf +++ b/nftables/nftables-ns1.conf @@ -43,7 +43,8 @@ table inet filter { tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept meta l4proto { tcp, udp } accept - meta l4proto { icmp, ipv6-icmp } notrack accept + icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept + meta l4proto ipv6-icmp notrack accept } chain input { diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf index 0d36a54..e811486 100644 --- a/nftables/nftables-ns2.conf +++ b/nftables/nftables-ns2.conf @@ -55,7 +55,8 @@ table inet filter { tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept meta l4proto { tcp, udp } accept - meta l4proto { icmp, ipv6-icmp } notrack accept + icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept + meta l4proto ipv6-icmp notrack accept } chain input { diff --git a/nftables/nftables-social.conf b/nftables/nftables-social.conf index 4c70f5b..14be9e7 100644 --- a/nftables/nftables-social.conf +++ b/nftables/nftables-social.conf @@ -41,7 +41,8 @@ table inet filter { tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept meta l4proto { tcp, udp } accept - meta l4proto { icmp, ipv6-icmp } notrack accept + icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept + meta l4proto ipv6-icmp notrack accept } chain input { diff --git a/nftables/nftables-web.conf b/nftables/nftables-web.conf index 2f33d53..acbde51 100644 --- a/nftables/nftables-web.conf +++ b/nftables/nftables-web.conf @@ -51,7 +51,8 @@ table inet filter { tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept meta l4proto { tcp, udp } accept - meta l4proto { icmp, ipv6-icmp } notrack accept + icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept + meta l4proto ipv6-icmp notrack accept } chain input {