Git-Mirrors
/
graphene-os-server-infrastructure
mirror of https://github.com/GrapheneOS/infrastructure.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

use consistent name for main connlimit 

This will be extended to other services when under attack, which can be
automated in the future.
This commit is contained in:
Daniel Micay 2024-04-09 20:29:11 -04:00
parent 275d63e8b3
commit ef63ff82d2
7 changed files with 42 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
nftables-attestation.conf
View File

@ -21,12 +21,12 @@ table inet filter {
flags dynamic
}
set ip-connlimit-http {
set ip-connlimit-main {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
set ip6-connlimit-main {
type ipv6_addr
flags dynamic
}
@ -58,8 +58,8 @@ table inet filter {
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
@ -67,8 +67,8 @@ table inet filter {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
}

12
nftables-discuss.conf
View File

@ -21,12 +21,12 @@ table inet filter {
flags dynamic
}
set ip-connlimit-http {
set ip-connlimit-main {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
set ip6-connlimit-main {
type ipv6_addr
flags dynamic
}
@ -61,8 +61,8 @@ table inet filter {
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
@ -70,8 +70,8 @@ table inet filter {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
}

12
nftables-mail.conf
View File

@ -21,12 +21,12 @@ table inet filter {
flags dynamic
}
set ip-connlimit-http {
set ip-connlimit-main {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
set ip6-connlimit-main {
type ipv6_addr
flags dynamic
}
@ -58,8 +58,8 @@ table inet filter {
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport { 80, 443 } ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
@ -67,8 +67,8 @@ table inet filter {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
}

12
nftables-matrix.conf
View File

@ -21,12 +21,12 @@ table inet filter {
flags dynamic
}
set ip-connlimit-http {
set ip-connlimit-main {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
set ip6-connlimit-main {
type ipv6_addr
flags dynamic
}
@ -58,8 +58,8 @@ table inet filter {
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
@ -67,8 +67,8 @@ table inet filter {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
}

12
nftables-network.conf
View File

@ -23,12 +23,12 @@ table inet filter {
flags dynamic
}
set ip-connlimit-supl {
set ip-connlimit-main {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-supl {
set ip6-connlimit-main {
type ipv6_addr
flags dynamic
}
@ -62,8 +62,8 @@ table inet filter {
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 7275 ip saddr @ip-connlimit-supl counter reject with tcp reset
tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-supl counter reject with tcp reset
tcp dport 7275 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
@ -71,8 +71,8 @@ table inet filter {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 7275 add @ip-connlimit-supl { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 7275 add @ip6-connlimit-supl { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
}

12
nftables-social.conf
View File

@ -21,12 +21,12 @@ table inet filter {
flags dynamic
}
set ip-connlimit-http {
set ip-connlimit-main {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
set ip6-connlimit-main {
type ipv6_addr
flags dynamic
}
@ -58,8 +58,8 @@ table inet filter {
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
@ -67,8 +67,8 @@ table inet filter {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
}

12
nftables-web.conf
View File

@ -25,12 +25,12 @@ table inet filter {
flags dynamic
}
set ip-connlimit-http {
set ip-connlimit-main {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
set ip6-connlimit-main {
type ipv6_addr
flags dynamic
}
@ -62,8 +62,8 @@ table inet filter {
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
@ -71,8 +71,8 @@ table inet filter {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
}