raise burst value for synproxy threshold

This commit is contained in:
Daniel Micay 2024-04-26 16:30:49 -04:00
parent c99b8d0b47
commit ba79d80b52
9 changed files with 9 additions and 9 deletions

View File

@ -38,7 +38,7 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept

View File

@ -38,7 +38,7 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept

View File

@ -50,7 +50,7 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept

View File

@ -38,7 +38,7 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept

View File

@ -46,7 +46,7 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
udp dport 123 notrack accept udp dport 123 notrack accept

View File

@ -40,7 +40,7 @@ table inet filter {
udp dport 53 notrack accept udp dport 53 notrack accept
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept

View File

@ -52,7 +52,7 @@ table inet filter {
tcp dport 22 ip daddr $ip-anycast drop tcp dport 22 ip daddr $ip-anycast drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept

View File

@ -38,7 +38,7 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept

View File

@ -48,7 +48,7 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
meta l4proto { tcp, udp } accept meta l4proto { tcp, udp } accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept