Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 11:00:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

nftables: friendlier output traffic filtering

Browse Source
This commit is contained in:
Daniel Micay 2022-06-29 20:18:51 -04:00
parent 3ca0c347c6
commit e0ab41c4f4
6 changed files with 42 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nftables-attestation.conf
View File

@ -47,6 +47,12 @@ table inet filter {
oif lo accept oif lo accept
skuid != {root, systemd-network, chrony, unbound, http, attestation} counter reject skuid != {root, systemd-network, chrony, unbound, http, attestation} counter goto output-reject
}
chain output-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject
} }
} }

8
nftables-discuss.conf
View File

@ -47,6 +47,12 @@ table inet filter {
oif lo accept oif lo accept
skuid != {root, systemd-network, chrony, unbound, http, flarum} counter reject skuid != {root, systemd-network, chrony, unbound, http, flarum} counter goto output-reject
}
chain output-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject
} }
} }

8
nftables-dns.conf
View File

@ -50,6 +50,12 @@ table inet filter {
oif lo accept oif lo accept
skuid != {root, systemd-network, chrony, unbound, powerdns} counter reject skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject
}
chain output-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject
} }
} }

8
nftables-mail.conf
View File

@ -47,6 +47,12 @@ table inet filter {
oif lo accept oif lo accept
skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter reject skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter goto output-reject
}
chain output-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject
} }
} }

8
nftables-matrix.conf
View File

@ -47,6 +47,12 @@ table inet filter {
oif lo accept oif lo accept
skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter reject skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject
}
chain output-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject
} }
} }

8
nftables-web.conf
View File

@ -47,6 +47,12 @@ table inet filter {
oif lo accept oif lo accept
skuid != {root, systemd-network, chrony, unbound, http} counter reject skuid != {root, systemd-network, chrony, unbound, http} counter goto output-reject
}
chain output-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject
} }
} }