nftables: drop instead of reject for unused ports

This provides consistency with DDoS protection services placed in front of the services rather than the behavior changing based on whether DDoS protection is active. This doesn't help with protecting against attacks since they'll almost always be targeting ports with services active or exhausting inbound bandwidth via UDP reflection attacks. This appears to be the standard approach used by most large tech companies.
2024-04-19 13:25:42 -04:00 · 2024-04-19 13:25:42 -04:00 · 398acc6fe8
parent b17b2f3fd3
commit 398acc6fe8
9 changed files with 10 additions and 10 deletions
--- a/nftables/nftables-attestation.conf
+++ b/nftables/nftables-attestation.conf
@ -49,7 +49,7 @@ table inet filter {
        tcp dport { 22, 80, 443 } goto input-tcp-service
        iif lo accept
        meta l4proto { icmp, ipv6-icmp } accept
-        ct state vmap { new : goto graceful-reject, established : accept, related : accept }
+        ct state vmap { new : drop, established : accept, related : accept }
    }

    chain input-tcp-service {
--- a/nftables/nftables-discuss.conf
+++ b/nftables/nftables-discuss.conf
@ -49,7 +49,7 @@ table inet filter {
        tcp dport { 22, 80, 443 } goto input-tcp-service
        iif lo accept
        meta l4proto { icmp, ipv6-icmp } accept
-        ct state vmap { new : goto graceful-reject, established : accept, related : accept }
+        ct state vmap { new : drop, established : accept, related : accept }
    }

    chain input-tcp-service {
--- a/nftables/nftables-mail.conf
+++ b/nftables/nftables-mail.conf
@ -61,7 +61,7 @@ table inet filter {
        tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
        iif lo accept
        meta l4proto { icmp, ipv6-icmp } accept
-        ct state vmap { new : goto graceful-reject, established : accept, related : accept }
+        ct state vmap { new : drop, established : accept, related : accept }
    }

    chain input-tcp-service {
--- a/nftables/nftables-matrix.conf
+++ b/nftables/nftables-matrix.conf
@ -49,7 +49,7 @@ table inet filter {
        tcp dport { 22, 80, 443 } goto input-tcp-service
        iif lo accept
        meta l4proto { icmp, ipv6-icmp } accept
-        ct state vmap { new : goto graceful-reject, established : accept, related : accept }
+        ct state vmap { new : drop, established : accept, related : accept }
    }

    chain input-tcp-service {
--- a/nftables/nftables-network.conf
+++ b/nftables/nftables-network.conf
@ -59,7 +59,7 @@ table inet filter {
        iif lo accept
        udp dport 123 accept
        meta l4proto { icmp, ipv6-icmp } accept
-        ct state vmap { new : goto graceful-reject, established : accept, related : accept }
+        ct state vmap { new : drop, established : accept, related : accept }
    }

    chain input-tcp-service {
--- a/nftables/nftables-ns1.conf
+++ b/nftables/nftables-ns1.conf
@ -52,7 +52,7 @@ table inet filter {
        iif lo accept
        udp dport 53 accept
        meta l4proto { icmp, ipv6-icmp } accept
-        ct state vmap { new : goto graceful-reject, established : accept, related : accept }
+        ct state vmap { new : drop, established : accept, related : accept }
    }

    chain input-tcp-service {
--- a/nftables/nftables-ns2.conf
+++ b/nftables/nftables-ns2.conf
@ -48,7 +48,7 @@ table inet filter {

        udp dport 53 notrack accept

-        tcp dport 22 ip daddr $ip-anycast reject with tcp reset
+        tcp dport 22 ip daddr $ip-anycast drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
@ -64,7 +64,7 @@ table inet filter {
        iif lo accept
        udp dport 53 accept
        meta l4proto { icmp, ipv6-icmp } accept
-        ct state vmap { new : goto graceful-reject, established : accept, related : accept }
+        ct state vmap { new : drop, established : accept, related : accept }
    }

    chain input-tcp-service {
--- a/nftables/nftables-social.conf
+++ b/nftables/nftables-social.conf
@ -49,7 +49,7 @@ table inet filter {
        tcp dport { 22, 80, 443 } goto input-tcp-service
        iif lo accept
        meta l4proto { icmp, ipv6-icmp } accept
-        ct state vmap { new : goto graceful-reject, established : accept, related : accept }
+        ct state vmap { new : drop, established : accept, related : accept }
    }

    chain input-tcp-service {
--- a/nftables/nftables-web.conf
+++ b/nftables/nftables-web.conf
@ -59,7 +59,7 @@ table inet filter {
        tcp dport { 22, 80, 443 } goto input-tcp-service
        iif lo accept
        meta l4proto { icmp, ipv6-icmp } accept
-        ct state vmap { new : goto graceful-reject, established : accept, related : accept }
+        ct state vmap { new : drop, established : accept, related : accept }
    }

    chain input-tcp-service {