nftables: explain ordering of strong host model check

This commit is contained in:
Daniel Micay 2024-04-11 09:49:50 -04:00
parent b21ea0a23f
commit ecd14bddff
9 changed files with 18 additions and 0 deletions

View File

@ -40,6 +40,8 @@ table inet filter {
iif lo notrack accept iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
#
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept

View File

@ -40,6 +40,8 @@ table inet filter {
iif lo notrack accept iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
#
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept

View File

@ -40,6 +40,8 @@ table inet filter {
iif lo notrack accept iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
#
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept

View File

@ -40,6 +40,8 @@ table inet filter {
iif lo notrack accept iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
#
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept

View File

@ -42,6 +42,8 @@ table inet filter {
iif lo notrack accept iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
#
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept

View File

@ -40,6 +40,8 @@ table inet filter {
iif lo notrack accept iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
#
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport 53 notrack accept udp dport 53 notrack accept

View File

@ -42,6 +42,8 @@ table inet filter {
iif lo notrack accept iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
#
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# reject SSH packets via anycast IP # reject SSH packets via anycast IP

View File

@ -40,6 +40,8 @@ table inet filter {
iif lo notrack accept iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
#
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept

View File

@ -44,6 +44,8 @@ table inet filter {
iif lo notrack accept iif lo notrack accept
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
#
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept