mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 13:45:02 -05:00
raise burst value for synproxy threshold
This commit is contained in:
parent
c99b8d0b47
commit
ba79d80b52
@ -38,7 +38,7 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
|
||||||
|
|
||||||
meta l4proto { tcp, udp } accept
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
@ -38,7 +38,7 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
|
||||||
|
|
||||||
meta l4proto { tcp, udp } accept
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
@ -50,7 +50,7 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
|
||||||
|
|
||||||
meta l4proto { tcp, udp } accept
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
@ -38,7 +38,7 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
|
||||||
|
|
||||||
meta l4proto { tcp, udp } accept
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
@ -46,7 +46,7 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
|
||||||
|
|
||||||
udp dport 123 notrack accept
|
udp dport 123 notrack accept
|
||||||
|
|
||||||
|
@ -40,7 +40,7 @@ table inet filter {
|
|||||||
udp dport 53 notrack accept
|
udp dport 53 notrack accept
|
||||||
|
|
||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
|
||||||
|
|
||||||
meta l4proto { tcp, udp } accept
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
@ -52,7 +52,7 @@ table inet filter {
|
|||||||
tcp dport 22 ip daddr $ip-anycast drop
|
tcp dport 22 ip daddr $ip-anycast drop
|
||||||
|
|
||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
|
||||||
|
|
||||||
meta l4proto { tcp, udp } accept
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
@ -38,7 +38,7 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
|
||||||
|
|
||||||
meta l4proto { tcp, udp } accept
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
@ -48,7 +48,7 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
|
||||||
|
|
||||||
meta l4proto { tcp, udp } accept
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
Loading…
Reference in New Issue
Block a user