From 398acc6fe8ba95ec3cd5f32d25a443ff29aec9cf Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 19 Apr 2024 13:25:42 -0400 Subject: [PATCH] nftables: drop instead of reject for unused ports This provides consistency with DDoS protection services placed in front of the services rather than the behavior changing based on whether DDoS protection is active. This doesn't help with protecting against attacks since they'll almost always be targeting ports with services active or exhausting inbound bandwidth via UDP reflection attacks. This appears to be the standard approach used by most large tech companies. --- nftables/nftables-attestation.conf | 2 +- nftables/nftables-discuss.conf | 2 +- nftables/nftables-mail.conf | 2 +- nftables/nftables-matrix.conf | 2 +- nftables/nftables-network.conf | 2 +- nftables/nftables-ns1.conf | 2 +- nftables/nftables-ns2.conf | 4 ++-- nftables/nftables-social.conf | 2 +- nftables/nftables-web.conf | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/nftables/nftables-attestation.conf b/nftables/nftables-attestation.conf index 3e1d816..dcddf51 100644 --- a/nftables/nftables-attestation.conf +++ b/nftables/nftables-attestation.conf @@ -49,7 +49,7 @@ table inet filter { tcp dport { 22, 80, 443 } goto input-tcp-service iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto graceful-reject, established : accept, related : accept } + ct state vmap { new : drop, established : accept, related : accept } } chain input-tcp-service { diff --git a/nftables/nftables-discuss.conf b/nftables/nftables-discuss.conf index 8dda89f..6e22714 100644 --- a/nftables/nftables-discuss.conf +++ b/nftables/nftables-discuss.conf @@ -49,7 +49,7 @@ table inet filter { tcp dport { 22, 80, 443 } goto input-tcp-service iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto graceful-reject, established : accept, related : accept } + ct state vmap { new : drop, established : accept, related : accept } } chain input-tcp-service { diff --git a/nftables/nftables-mail.conf b/nftables/nftables-mail.conf index 2f0c8b4..391ff95 100644 --- a/nftables/nftables-mail.conf +++ b/nftables/nftables-mail.conf @@ -61,7 +61,7 @@ table inet filter { tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto graceful-reject, established : accept, related : accept } + ct state vmap { new : drop, established : accept, related : accept } } chain input-tcp-service { diff --git a/nftables/nftables-matrix.conf b/nftables/nftables-matrix.conf index 002d244..dbd9872 100644 --- a/nftables/nftables-matrix.conf +++ b/nftables/nftables-matrix.conf @@ -49,7 +49,7 @@ table inet filter { tcp dport { 22, 80, 443 } goto input-tcp-service iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto graceful-reject, established : accept, related : accept } + ct state vmap { new : drop, established : accept, related : accept } } chain input-tcp-service { diff --git a/nftables/nftables-network.conf b/nftables/nftables-network.conf index b184656..e394404 100644 --- a/nftables/nftables-network.conf +++ b/nftables/nftables-network.conf @@ -59,7 +59,7 @@ table inet filter { iif lo accept udp dport 123 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto graceful-reject, established : accept, related : accept } + ct state vmap { new : drop, established : accept, related : accept } } chain input-tcp-service { diff --git a/nftables/nftables-ns1.conf b/nftables/nftables-ns1.conf index 34673cc..be32c62 100644 --- a/nftables/nftables-ns1.conf +++ b/nftables/nftables-ns1.conf @@ -52,7 +52,7 @@ table inet filter { iif lo accept udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto graceful-reject, established : accept, related : accept } + ct state vmap { new : drop, established : accept, related : accept } } chain input-tcp-service { diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf index 215afc8..10cb43f 100644 --- a/nftables/nftables-ns2.conf +++ b/nftables/nftables-ns2.conf @@ -48,7 +48,7 @@ table inet filter { udp dport 53 notrack accept - tcp dport 22 ip daddr $ip-anycast reject with tcp reset + tcp dport 22 ip daddr $ip-anycast drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept @@ -64,7 +64,7 @@ table inet filter { iif lo accept udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto graceful-reject, established : accept, related : accept } + ct state vmap { new : drop, established : accept, related : accept } } chain input-tcp-service { diff --git a/nftables/nftables-social.conf b/nftables/nftables-social.conf index 7336f47..21b90fe 100644 --- a/nftables/nftables-social.conf +++ b/nftables/nftables-social.conf @@ -49,7 +49,7 @@ table inet filter { tcp dport { 22, 80, 443 } goto input-tcp-service iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto graceful-reject, established : accept, related : accept } + ct state vmap { new : drop, established : accept, related : accept } } chain input-tcp-service { diff --git a/nftables/nftables-web.conf b/nftables/nftables-web.conf index 9c36f9c..da9d5fe 100644 --- a/nftables/nftables-web.conf +++ b/nftables/nftables-web.conf @@ -59,7 +59,7 @@ table inet filter { tcp dport { 22, 80, 443 } goto input-tcp-service iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto graceful-reject, established : accept, related : accept } + ct state vmap { new : drop, established : accept, related : accept } } chain input-tcp-service {