mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-01-05 12:00:47 -05:00
use DNS connlimit for HTTP/HTTPS on DNS servers
Our DNS servers only have HTTP(S) for obtaining certificates via ACME with accounturi pinning along with redirecting people who visit the domain in a browser to our server documentation. We also only permit 1 request for each HTTP(S) connection for these services so connections are very short lived. We'll need to do this in a less aggressive way for our web sites and our services used to transfer significant amounts of data such as the update servers since not all clients have TCP timestamps and will lose SACK and window scaling with the current Linux SYN cookie design despite it being possible to avoid that as FreeBSD does.
This commit is contained in:
parent
079997d4b5
commit
9fcac6b105
@ -21,12 +21,12 @@ table inet filter {
|
|||||||
flags dynamic
|
flags dynamic
|
||||||
}
|
}
|
||||||
|
|
||||||
set ip-connlimit-dns {
|
set ip-connlimit-main {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags dynamic
|
flags dynamic
|
||||||
}
|
}
|
||||||
|
|
||||||
set ip6-connlimit-dns {
|
set ip6-connlimit-main {
|
||||||
type ipv6_addr
|
type ipv6_addr
|
||||||
flags dynamic
|
flags dynamic
|
||||||
}
|
}
|
||||||
@ -43,8 +43,7 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
udp dport 53 notrack accept
|
udp dport 53 notrack accept
|
||||||
tcp dport { 80, 443 } notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept
|
||||||
tcp dport { 22, 53, 853 } tcp flags syn notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -53,7 +52,6 @@ table inet filter {
|
|||||||
|
|
||||||
oif lo notrack accept
|
oif lo notrack accept
|
||||||
udp sport 53 notrack accept
|
udp sport 53 notrack accept
|
||||||
tcp sport { 80, 443 } notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -63,23 +61,22 @@ table inet filter {
|
|||||||
|
|
||||||
iif lo goto input-loopback
|
iif lo goto input-loopback
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
tcp dport { 80, 443 } accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
tcp dport { 53, 853 } ip saddr @ip-connlimit-dns counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 53, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-dns counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 53, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 53, 853 } tcp flags syn add @ip-connlimit-dns { ip saddr ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||||
tcp dport { 53, 853 } tcp flags syn add @ip6-connlimit-dns { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -23,12 +23,12 @@ table inet filter {
|
|||||||
flags dynamic
|
flags dynamic
|
||||||
}
|
}
|
||||||
|
|
||||||
set ip-connlimit-dns {
|
set ip-connlimit-main {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags dynamic
|
flags dynamic
|
||||||
}
|
}
|
||||||
|
|
||||||
set ip6-connlimit-dns {
|
set ip6-connlimit-main {
|
||||||
type ipv6_addr
|
type ipv6_addr
|
||||||
flags dynamic
|
flags dynamic
|
||||||
}
|
}
|
||||||
@ -48,8 +48,7 @@ table inet filter {
|
|||||||
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
||||||
|
|
||||||
udp dport 53 notrack accept
|
udp dport 53 notrack accept
|
||||||
tcp dport { 80, 443 } notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept
|
||||||
tcp dport { 22, 53, 853 } tcp flags syn notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -58,7 +57,6 @@ table inet filter {
|
|||||||
|
|
||||||
oif lo notrack accept
|
oif lo notrack accept
|
||||||
udp sport 53 notrack accept
|
udp sport 53 notrack accept
|
||||||
tcp sport { 80, 443 } notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -68,23 +66,22 @@ table inet filter {
|
|||||||
|
|
||||||
iif lo goto input-loopback
|
iif lo goto input-loopback
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
tcp dport { 80, 443 } accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
tcp dport { 53, 853 } ip saddr @ip-connlimit-dns counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 53, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-dns counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 53, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 53, 853 } tcp flags syn add @ip-connlimit-dns { ip saddr ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||||
tcp dport { 53, 853 } tcp flags syn add @ip6-connlimit-dns { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user