mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 13:45:02 -05:00
simplify rate limited synproxy bypass
This commit is contained in:
parent
ca35fcc648
commit
c412fec336
@ -45,8 +45,7 @@ table inet filter {
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
@ -45,8 +45,7 @@ table inet filter {
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
@ -45,8 +45,7 @@ table inet filter {
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
@ -45,8 +45,7 @@ table inet filter {
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
@ -47,8 +47,7 @@ table inet filter {
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
udp dport 123 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
|
@ -47,8 +47,7 @@ table inet filter {
|
||||
udp dport 53 notrack accept
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
@ -52,8 +52,7 @@ table inet filter {
|
||||
udp dport 53 notrack accept
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
@ -45,8 +45,7 @@ table inet filter {
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
@ -49,8 +49,7 @@ table inet filter {
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user