Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 11:00:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

nftables: drop instead of reject for unused ports

Browse Source 
This provides consistency with DDoS protection services placed in front
of the services rather than the behavior changing based on whether DDoS
protection is active. This doesn't help with protecting against attacks
since they'll almost always be targeting ports with services active or
exhausting inbound bandwidth via UDP reflection attacks. This appears to
be the standard approach used by most large tech companies.
This commit is contained in:
Daniel Micay 2024-04-19 13:25:42 -04:00
parent b17b2f3fd3
commit 398acc6fe8
9 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nftables/nftables-attestation.conf
View File

@ -49,7 +49,7 @@ table inet filter {
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept iif lo accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept } ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

2
nftables/nftables-discuss.conf
View File

@ -49,7 +49,7 @@ table inet filter {
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept iif lo accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept } ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

2
nftables/nftables-mail.conf
View File

@ -61,7 +61,7 @@ table inet filter {
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
iif lo accept iif lo accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept } ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

2
nftables/nftables-matrix.conf
View File

@ -49,7 +49,7 @@ table inet filter {
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept iif lo accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept } ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

2
nftables/nftables-network.conf
View File

@ -59,7 +59,7 @@ table inet filter {
iif lo accept iif lo accept
udp dport 123 accept udp dport 123 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept } ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

2
nftables/nftables-ns1.conf
View File

@ -52,7 +52,7 @@ table inet filter {
iif lo accept iif lo accept
udp dport 53 accept udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept } ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

4
nftables/nftables-ns2.conf
View File

@ -48,7 +48,7 @@ table inet filter {
udp dport 53 notrack accept udp dport 53 notrack accept
tcp dport 22 ip daddr $ip-anycast reject with tcp reset tcp dport 22 ip daddr $ip-anycast drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
@ -64,7 +64,7 @@ table inet filter {
iif lo accept iif lo accept
udp dport 53 accept udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept } ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

2
nftables/nftables-social.conf
View File

@ -49,7 +49,7 @@ table inet filter {
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept iif lo accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept } ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

2
nftables/nftables-web.conf
View File

@ -59,7 +59,7 @@ table inet filter {
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept iif lo accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept } ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {