Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 11:00:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

nftables: reorder rule for rejecting SSH via anycast

Browse Source
This commit is contained in:
Daniel Micay 2024-04-15 23:54:17 -04:00
parent 8caa777e11
commit 7782c861cb
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nftables/nftables-ns2.conf
View File

@ -44,11 +44,11 @@ table inet filter {
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport 53 notrack accept
# reject SSH packets via anycast IP
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
udp dport 53 notrack accept
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept