Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 02:50:47 -05:00
Code Issues Packages Projects Releases Wiki Activity

nftables: use allowlist for ICMP types

Browse Source
This commit is contained in:
Daniel Micay 2024-07-25 23:13:29 -04:00
parent 437c5a5f3d
commit 27bd153454
9 changed files with 18 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nftables/nftables-attestation.conf
View File

@ -41,7 +41,8 @@ table inet filter {
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
meta l4proto ipv6-icmp notrack accept
} }
chain input { chain input {

3
nftables/nftables-discuss.conf
View File

@ -41,7 +41,8 @@ table inet filter {
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
meta l4proto ipv6-icmp notrack accept
} }
chain input { chain input {

3
nftables/nftables-mail.conf
View File

@ -53,7 +53,8 @@ table inet filter {
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
meta l4proto ipv6-icmp notrack accept
} }
chain input { chain input {

3
nftables/nftables-matrix.conf
View File

@ -41,7 +41,8 @@ table inet filter {
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
meta l4proto ipv6-icmp notrack accept
} }
chain input { chain input {

3
nftables/nftables-network.conf
View File

@ -51,7 +51,8 @@ table inet filter {
udp dport 123 notrack accept udp dport 123 notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
meta l4proto ipv6-icmp notrack accept
} }
chain input { chain input {

3
nftables/nftables-ns1.conf
View File

@ -43,7 +43,8 @@ table inet filter {
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
meta l4proto ipv6-icmp notrack accept
} }
chain input { chain input {

3
nftables/nftables-ns2.conf
View File

@ -55,7 +55,8 @@ table inet filter {
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
meta l4proto ipv6-icmp notrack accept
} }
chain input { chain input {

3
nftables/nftables-social.conf
View File

@ -41,7 +41,8 @@ table inet filter {
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
meta l4proto ipv6-icmp notrack accept
} }
chain input { chain input {

3
nftables/nftables-web.conf
View File

@ -51,7 +51,8 @@ table inet filter {
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
meta l4proto ipv6-icmp notrack accept
} }
chain input { chain input {