diff --git a/nftables-attestation.conf b/nftables-attestation.conf index a2e113f..1b0418e 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -45,8 +45,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept - tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-discuss.conf b/nftables-discuss.conf index f61b4d0..5ded4db 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -45,8 +45,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept - tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-mail.conf b/nftables-mail.conf index 351988d..ffb845f 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -45,8 +45,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept - tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept + tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 17002ef..f5d1fd0 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -45,8 +45,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept - tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-network.conf b/nftables-network.conf index 6088aa8..1558ef1 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -47,8 +47,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept - tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept + tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept udp dport 123 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept diff --git a/nftables-ns1.conf b/nftables-ns1.conf index a714516..d004ed1 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -47,8 +47,7 @@ table inet filter { udp dport 53 notrack accept # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept - tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept + tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 6a002aa..7367273 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -52,8 +52,7 @@ table inet filter { udp dport 53 notrack accept # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept - tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept + tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-social.conf b/nftables-social.conf index 087aac3..c952575 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -45,8 +45,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept - tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-web.conf b/nftables-web.conf index d47464e..6e1a3c2 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -49,8 +49,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept - tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept }