Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 11:00:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

enforce strong host model via nftables

Browse Source
This commit is contained in:
Daniel Micay 2024-03-24 13:27:55 -04:00
parent eb55afa3a8
commit 59984a477c
9 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nftables-attestation.conf
View File

@ -10,6 +10,10 @@ table inet filter {
fib saddr . iif oif missing counter drop
iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept
}

4
nftables-discuss.conf
View File

@ -10,6 +10,10 @@ table inet filter {
fib saddr . iif oif missing counter drop
iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept
}

4
nftables-mail.conf
View File

@ -10,6 +10,10 @@ table inet filter {
fib saddr . iif oif missing counter drop
iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 25, 80, 443, 465, 993} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept
}

4
nftables-matrix.conf
View File

@ -10,6 +10,10 @@ table inet filter {
fib saddr . iif oif missing counter drop
iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept
}

4
nftables-network.conf
View File

@ -10,6 +10,10 @@ table inet filter {
fib saddr . iif oif missing counter drop
iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443, 7275} notrack accept
udp dport 123 notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept

4
nftables-ns1.conf
View File

@ -10,6 +10,10 @@ table inet filter {
fib saddr . iif oif missing counter drop
iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport 53 notrack accept
tcp dport {22, 53, 80, 443, 853} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept

4
nftables-ns2.conf
View File

@ -10,6 +10,10 @@ table inet filter {
fib saddr . iif oif missing counter drop
iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport 53 notrack accept
tcp dport {22, 53, 80, 443, 853} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept

4
nftables-social.conf
View File

@ -10,6 +10,10 @@ table inet filter {
fib saddr . iif oif missing counter drop
iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept
}

4
nftables-web.conf
View File

@ -10,6 +10,10 @@ table inet filter {
fib saddr . iif oif missing counter drop
iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept
}