mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-01-05 12:00:47 -05:00
nftables: split out TCP service chain
This commit is contained in:
parent
b152574da8
commit
3d886dea43
@ -55,8 +55,14 @@ table inet filter {
|
|||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
@ -65,12 +71,10 @@ table inet filter {
|
|||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
meta l4proto != tcp goto graceful-reject
|
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -79,8 +83,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-established {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443 } accept
|
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -90,8 +92,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443 } accept
|
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -55,8 +55,14 @@ table inet filter {
|
|||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
@ -65,12 +71,10 @@ table inet filter {
|
|||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
meta l4proto != tcp goto graceful-reject
|
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -79,8 +83,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-established {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443 } accept
|
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -90,8 +92,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443 } accept
|
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -55,8 +55,14 @@ table inet filter {
|
|||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
@ -65,12 +71,10 @@ table inet filter {
|
|||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 25, 80, 443, 465, 993 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
meta l4proto != tcp goto graceful-reject
|
|
||||||
tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -79,8 +83,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-established {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 25, 80, 443, 465, 993 } accept
|
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -90,8 +92,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 25, 80, 443, 465, 993 } accept
|
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -55,8 +55,14 @@ table inet filter {
|
|||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
@ -65,12 +71,10 @@ table inet filter {
|
|||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
meta l4proto != tcp goto graceful-reject
|
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -79,8 +83,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-established {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443 } accept
|
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -90,8 +92,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443 } accept
|
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -58,9 +58,15 @@ table inet filter {
|
|||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
udp dport 123 accept
|
udp dport 123 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
@ -69,12 +75,10 @@ table inet filter {
|
|||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
meta l4proto != tcp goto graceful-reject
|
|
||||||
tcp dport != { 22, 80, 443, 7275 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -83,8 +87,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-established {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443, 7275 } accept
|
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -94,8 +96,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443, 7275 } accept
|
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -57,9 +57,15 @@ table inet filter {
|
|||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
@ -68,12 +74,10 @@ table inet filter {
|
|||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
meta l4proto != tcp goto graceful-reject
|
|
||||||
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -82,8 +86,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-established {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 53, 80, 443, 853 } accept
|
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -93,8 +95,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 53, 80, 443, 853 } accept
|
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -62,9 +62,15 @@ table inet filter {
|
|||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
@ -73,12 +79,10 @@ table inet filter {
|
|||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
meta l4proto != tcp goto graceful-reject
|
|
||||||
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -87,8 +91,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-established {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 53, 80, 443, 853 } accept
|
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -98,8 +100,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 53, 80, 443, 853 } accept
|
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -55,8 +55,14 @@ table inet filter {
|
|||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
@ -65,12 +71,10 @@ table inet filter {
|
|||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
meta l4proto != tcp goto graceful-reject
|
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -79,8 +83,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-established {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443 } accept
|
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -90,8 +92,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443 } accept
|
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -59,8 +59,14 @@ table inet filter {
|
|||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
@ -69,12 +75,10 @@ table inet filter {
|
|||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
meta l4proto != tcp goto graceful-reject
|
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -83,8 +87,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-established {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443 } accept
|
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -94,8 +96,6 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
meta l4proto != tcp accept
|
|
||||||
tcp dport != { 22, 80, 443 } accept
|
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
Loading…
Reference in New Issue
Block a user