Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-06-14 08:52:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

raise synproxy bypass burst to 128 packets from 5

Browse Source 
Our network servers are spiking over the default burst limit of 5
packets during regular usage. It's unclear high this should be but 5
packets is definitely too low.
This commit is contained in:
Daniel Micay 2024-04-10 15:02:25 -04:00
parent b38736ca74
commit b21ea0a23f
9 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nftables-attestation.conf
View File

@ -42,7 +42,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

2
nftables-discuss.conf
View File

@ -42,7 +42,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

2
nftables-mail.conf
View File

@ -42,7 +42,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

2
nftables-matrix.conf
View File

@ -42,7 +42,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

2
nftables-network.conf
View File

@ -44,7 +44,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
udp dport 123 notrack accept udp dport 123 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept

2
nftables-ns1.conf
View File

@ -43,7 +43,7 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport 53 notrack accept udp dport 53 notrack accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

2
nftables-ns2.conf
View File

@ -48,7 +48,7 @@ table inet filter {
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
udp dport 53 notrack accept udp dport 53 notrack accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

2
nftables-social.conf
View File

@ -42,7 +42,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

2
nftables-web.conf
View File

@ -46,7 +46,7 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }