diff --git a/nftables/nftables-attestation.conf b/nftables/nftables-attestation.conf index 20cc306..3e1d816 100644 --- a/nftables/nftables-attestation.conf +++ b/nftables/nftables-attestation.conf @@ -101,26 +101,20 @@ table inet filter { chain output-raw { type filter hook output priority raw - oif lo notrack accept + oif lo goto output-raw-loopback + skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output { - type filter hook output priority filter + chain output-raw-loopback { + skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 notrack accept + skuid { chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 notrack accept - oif lo goto output-loopback - skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject - } - - chain output-loopback { - skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 accept - skuid { chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 accept - - skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 accept - skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 accept + skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 notrack accept + skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 notrack accept skuid != root counter goto graceful-reject - accept + notrack accept } chain graceful-reject { diff --git a/nftables/nftables-discuss.conf b/nftables/nftables-discuss.conf index 808c03f..8dda89f 100644 --- a/nftables/nftables-discuss.conf +++ b/nftables/nftables-discuss.conf @@ -101,23 +101,17 @@ table inet filter { chain output-raw { type filter hook output priority raw - oif lo notrack accept + oif lo goto output-raw-loopback + skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output { - type filter hook output priority filter - - oif lo goto output-loopback - skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject - } - - chain output-loopback { - skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept - skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept + chain output-raw-loopback { + skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept + skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid != root counter goto graceful-reject - accept + notrack accept } chain graceful-reject { diff --git a/nftables/nftables-mail.conf b/nftables/nftables-mail.conf index 6e1db6d..2f0c8b4 100644 --- a/nftables/nftables-mail.conf +++ b/nftables/nftables-mail.conf @@ -113,23 +113,17 @@ table inet filter { chain output-raw { type filter hook output priority raw - oif lo notrack accept + oif lo goto output-raw-loopback + skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output { - type filter hook output priority filter - - oif lo goto output-loopback - skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject - } - - chain output-loopback { - skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept - skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept + chain output-raw-loopback { + skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept + skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid != root counter goto graceful-reject - accept + notrack accept } chain graceful-reject { diff --git a/nftables/nftables-matrix.conf b/nftables/nftables-matrix.conf index 4725963..002d244 100644 --- a/nftables/nftables-matrix.conf +++ b/nftables/nftables-matrix.conf @@ -101,33 +101,27 @@ table inet filter { chain output-raw { type filter hook output priority raw - oif lo notrack accept + oif lo goto output-raw-loopback + skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output { - type filter hook output priority filter + chain output-raw-loopback { + skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 notrack accept + skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 notrack accept - oif lo goto output-loopback - skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject - } + skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 notrack accept - chain output-loopback { - skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 accept - skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 accept + skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 notrack accept + skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 notrack accept + skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 notrack accept - skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept - - skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 accept - skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept - skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept - - skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 accept - skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept - skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept + skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 notrack accept + skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 notrack accept + skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 notrack accept skuid != root counter goto graceful-reject - accept + notrack accept } chain graceful-reject { diff --git a/nftables/nftables-network.conf b/nftables/nftables-network.conf index 6a9767b..b184656 100644 --- a/nftables/nftables-network.conf +++ b/nftables/nftables-network.conf @@ -111,24 +111,18 @@ table inet filter { chain output-raw { type filter hook output priority raw - oif lo notrack accept + oif lo goto output-raw-loopback + skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject udp sport 123 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output { - type filter hook output priority filter - - oif lo goto output-loopback - skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject - } - - chain output-loopback { - skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept - skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept + chain output-raw-loopback { + skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept + skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid != root counter goto graceful-reject - accept + notrack accept } chain graceful-reject { diff --git a/nftables/nftables-ns1.conf b/nftables/nftables-ns1.conf index 0a96b60..dac934b 100644 --- a/nftables/nftables-ns1.conf +++ b/nftables/nftables-ns1.conf @@ -104,29 +104,23 @@ table inet filter { chain output-raw { type filter hook output priority raw - oif lo notrack accept + oif lo goto output-raw-loopback udp sport 53 notrack accept + skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output { - type filter hook output priority filter + chain output-raw-loopback { + skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept + skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept - oif lo goto output-loopback - skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject - } + skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept + skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept - chain output-loopback { - skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept - skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept - - skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept - skuid http meta l4proto tcp th sport >= 1024 th dport 54 accept - - skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept + skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept skuid != root counter goto graceful-reject - accept + notrack accept } chain graceful-reject { diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf index 828b35f..b9821ff 100644 --- a/nftables/nftables-ns2.conf +++ b/nftables/nftables-ns2.conf @@ -115,29 +115,23 @@ table inet filter { chain output-raw { type filter hook output priority raw - oif lo notrack accept + oif lo goto output-raw-loopback + skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject udp sport 53 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output { - type filter hook output priority filter + chain output-raw-loopback { + skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept + skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept - oif lo goto output-loopback - skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject - } + skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept + skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept - chain output-loopback { - skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept - skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept - - skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept - skuid http meta l4proto tcp th sport >= 1024 th dport 54 accept - - skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept + skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept skuid != root counter goto graceful-reject - accept + notrack accept } chain graceful-reject { diff --git a/nftables/nftables-social.conf b/nftables/nftables-social.conf index 27e33a8..7336f47 100644 --- a/nftables/nftables-social.conf +++ b/nftables/nftables-social.conf @@ -101,25 +101,19 @@ table inet filter { chain output-raw { type filter hook output priority raw - oif lo notrack accept + oif lo goto output-raw-loopback + skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output { - type filter hook output priority filter + chain output-raw-loopback { + skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept + skuid { chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept - oif lo goto output-loopback - skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject - } - - chain output-loopback { - skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept - skuid { chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept - - skuid postgres udp sport >= 1024 udp dport >= 1024 accept + skuid postgres udp sport >= 1024 udp dport >= 1024 notrack accept skuid != root counter goto graceful-reject - accept + notrack accept } chain graceful-reject { diff --git a/nftables/nftables-web.conf b/nftables/nftables-web.conf index a02b65d..9c36f9c 100644 --- a/nftables/nftables-web.conf +++ b/nftables/nftables-web.conf @@ -111,23 +111,17 @@ table inet filter { chain output-raw { type filter hook output priority raw - oif lo notrack accept + oif lo goto output-raw-loopback + skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output { - type filter hook output priority filter - - oif lo goto output-loopback - skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject - } - - chain output-loopback { - skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept - skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept + chain output-raw-loopback { + skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept + skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid != root counter goto graceful-reject - accept + notrack accept } chain graceful-reject {