Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-05 12:00:47 -05:00
Code Issues Packages Projects Releases Wiki Activity

nftables: simplify rules via untracked state

Browse Source
This commit is contained in:
Daniel Micay 2024-04-23 02:08:57 -04:00
parent d369f159a9
commit 5ba6cbd3d1
9 changed files with 9 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nftables/nftables-attestation.conf
View File

@ -47,9 +47,7 @@ table inet filter {
policy drop policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

4
nftables/nftables-discuss.conf
View File

@ -47,9 +47,7 @@ table inet filter {
policy drop policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

4
nftables/nftables-mail.conf
View File

@ -59,9 +59,7 @@ table inet filter {
policy drop policy drop
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
iif lo accept ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

4
nftables/nftables-matrix.conf
View File

@ -47,9 +47,7 @@ table inet filter {
policy drop policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

5
nftables/nftables-network.conf
View File

@ -56,10 +56,7 @@ table inet filter {
policy drop policy drop
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
iif lo accept ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
udp dport 123 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

5
nftables/nftables-ns1.conf
View File

@ -49,10 +49,7 @@ table inet filter {
policy drop policy drop
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
iif lo accept ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

5
nftables/nftables-ns2.conf
View File

@ -61,10 +61,7 @@ table inet filter {
policy drop policy drop
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
iif lo accept ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

4
nftables/nftables-social.conf
View File

@ -47,9 +47,7 @@ table inet filter {
policy drop policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {

4
nftables/nftables-web.conf
View File

@ -57,9 +57,7 @@ table inet filter {
policy drop policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
} }
chain input-tcp-service { chain input-tcp-service {