From 53b2431f6b4d8565e3bc002922a9b40669b6f08c Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 15 Feb 2023 02:44:38 -0500 Subject: [PATCH] switch to unix socket socket for redis --- nftables-social.conf | 13 +++++-------- unbound.conf | 1 - 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/nftables-social.conf b/nftables-social.conf index b9cb03c..1c4c61e 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -48,16 +48,13 @@ table inet filter { } chain output-internal { - skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != {3000, 4000, 6379} accept - skuid {chrony, mastodon} meta l4proto {tcp, udp} th sport >= 1024 th sport != {3000, 4000, 6379} th dport 53 accept + skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != {3000, 4000} accept + skuid {chrony, mastodon} meta l4proto {tcp, udp} th sport >= 1024 th sport != {3000, 4000} th dport 53 accept - skuid postgres udp sport >= 1024 udp sport != {3000, 4000, 6379} udp dport >= 1024 udp dport != {3000, 4000, 6379} accept + skuid postgres udp sport >= 1024 udp sport != {3000, 4000} udp dport >= 1024 udp dport != {3000, 4000} accept - skuid mastodon tcp sport {3000, 4000, 6379} tcp dport >= 1024 tcp dport != {3000, 4000, 6379} accept - skuid http tcp sport >= 1024 tcp sport != {3000, 4000, 6379} tcp dport {3000, 4000, 6379} accept - - skuid redis tcp sport 6379 tcp dport >= 1024 tcp dport != {3000, 4000, 6379} accept - skuid mastodon tcp sport >= 1024 tcp sport != {3000, 4000, 6379} tcp dport 6379 accept + skuid mastodon tcp sport {3000, 4000} tcp dport >= 1024 tcp dport != {3000, 4000} accept + skuid http tcp sport >= 1024 tcp sport != {3000, 4000} tcp dport {3000, 4000} accept skuid != root counter goto output-reject accept diff --git a/unbound.conf b/unbound.conf index 1c5e61b..375318e 100644 --- a/unbound.conf +++ b/unbound.conf @@ -10,7 +10,6 @@ server: outgoing-port-permit: 1024-65535 outgoing-port-avoid: 3000 # mastodon web outgoing-port-avoid: 4000 # mastodon streaming - outgoing-port-avoid: 6379 # redis outgoing-port-avoid: 7275 # supl outgoing-port-avoid: 8008 # synapse outgoing-port-avoid: 8080 # attestation