Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-12-22 13:45:02 -05:00
Code Issues Packages Projects Releases Wiki Activity

raise synproxy bypass burst to 128 packets from 5

Browse Source 
Our network servers are spiking over the default burst limit of 5
packets during regular usage. It's unclear high this should be but 5
packets is definitely too low.
This commit is contained in:
Daniel Micay 2024-04-10 15:02:25 -04:00
parent b38736ca74
commit b21ea0a23f
9 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nftables-attestation.conf
View File

@ -42,7 +42,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}

2
nftables-discuss.conf
View File

@ -42,7 +42,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}

2
nftables-mail.conf
View File

@ -42,7 +42,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}

2
nftables-matrix.conf
View File

@ -42,7 +42,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}

2
nftables-network.conf
View File

@ -44,7 +44,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
udp dport 123 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept

2
nftables-ns1.conf
View File

@ -43,7 +43,7 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport 53 notrack accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}

2
nftables-ns2.conf
View File

@ -48,7 +48,7 @@ table inet filter {
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
udp dport 53 notrack accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}

2
nftables-social.conf
View File

@ -42,7 +42,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}

2
nftables-web.conf
View File

@ -46,7 +46,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}