mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-01-03 11:00:49 -05:00
simplify nftables based on strong host model
This commit is contained in:
Daniel Micay
parent
59984a477c
commit
7b64ffd4cd
@ -31,8 +31,7 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
|
||||
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
|
||||
tcp dport {22, 80, 443} accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
@ -14,6 +14,9 @@ table inet filter {
|
||||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# IPv6 interacts badly with IP-based spam filtering
|
||||
meta nfproto ipv6 tcp dport {22, 80, 443} reject with tcp reset
|
||||
|
||||
tcp dport {22, 80, 443} notrack accept
|
||||
meta l4proto {icmp, ipv6-icmp} notrack accept
|
||||
}
|
||||
@ -31,9 +34,7 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
|
||||
# IPv6 interacts badly with IP-based spam filtering
|
||||
#tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
|
||||
tcp dport {22, 80, 443} accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
@ -31,8 +31,7 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 25, 80, 443, 465, 993} ip daddr {{ipv4_address}} accept
|
||||
tcp dport {22, 25, 80, 443, 465, 993} ip6 daddr {{ipv6_address}} accept
|
||||
tcp dport {22, 25, 80, 443, 465, 993} accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
@ -31,8 +31,7 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
|
||||
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
|
||||
tcp dport {22, 80, 443} accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
@ -33,10 +33,8 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 80, 443, 7275} ip daddr {{ipv4_address}} accept
|
||||
tcp dport {22, 80, 443, 7275} ip6 daddr {{ipv6_address}} accept
|
||||
udp dport 123 ip daddr {{ipv4_address}} accept
|
||||
udp dport 123 ip6 daddr {{ipv6_address}} accept
|
||||
tcp dport {22, 80, 443, 7275} accept
|
||||
udp dport 123 accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
@ -33,10 +33,8 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
udp dport 53 ip daddr {{ipv4_address}} accept
|
||||
udp dport 53 ip6 daddr {{ipv6_address}} accept
|
||||
tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept
|
||||
tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept
|
||||
udp dport 53 accept
|
||||
tcp dport {22, 53, 80, 443, 853} accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
@ -14,6 +14,9 @@ table inet filter {
|
||||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# reject SSH packets via anycast IP
|
||||
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
||||
|
||||
udp dport 53 notrack accept
|
||||
tcp dport {22, 53, 80, 443, 853} notrack accept
|
||||
meta l4proto {icmp, ipv6-icmp} notrack accept
|
||||
@ -33,12 +36,8 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
udp dport 53 ip daddr {{ipv4_address}} accept
|
||||
udp dport 53 ip daddr 198.251.90.93 accept
|
||||
udp dport 53 ip6 daddr {{ipv6_address}} accept
|
||||
tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept
|
||||
tcp dport {53, 80, 443, 853} ip daddr 198.251.90.93 accept
|
||||
tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept
|
||||
udp dport 53 accept
|
||||
tcp dport {22, 53, 80, 443, 853} accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
@ -31,8 +31,7 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
|
||||
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
|
||||
tcp dport {22, 80, 443} accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
@ -31,8 +31,7 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
|
||||
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
|
||||
tcp dport {22, 80, 443} accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
Loading…
Reference in New Issue
Block a user