Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 11:00:49 -05:00
Code Issues Packages Projects Releases Wiki Activity
382 Commits 1 Branch 0 Tags 1.9 MiB
079997d4b5
Commit Graph

23 Commits

Author SHA1 Message Date
Daniel Micay
39b7e1f479 add counter to connection limit reject rules 2024-03-30 02:12:18 -04:00
Daniel Micay
280eb51c8d rename loopback chains for clarity 2024-03-30 02:12:00 -04:00
Daniel Micay
9b40bb90b8 split out input chain for loopback 2024-03-30 02:12:00 -04:00
Daniel Micay
8c929f02ac enforce IPv6 SSH connection limit for /48 blocks 
Since our primary servers using SSH to mirror their TLS certificates to
replicas are now allowlisted, we can use a stricter block size than we
could with the PerSourceMaxStartups approach in sshd.
 2024-03-28 11:38:06 -04:00
Daniel Micay
cd59960e7b move IP-based SSH connection limits to nftables 
We use synproxy for establishing all new connections to the SSH port and
enforce a connection limit between synproxy and the standard network
stack. Once the connection limit is reached, it's also enforced for new
connections at the synproxy layer. This avoids creating conntrack and
connection limit set entries until connections are already established
to avoid packets with spoofed source addresses exhausting these limited
size tables. Primary servers using SSH to mirror TLS certificates to
their replicas are allowlisted.
 2024-03-28 11:38:03 -04:00
Daniel Micay
16ef317460 nftables: rename output-reject to graceful-reject 2024-03-27 12:31:09 -04:00
Daniel Micay
14e9cd5b76 use standard style for nftables sets 2024-03-24 16:23:54 -04:00
Daniel Micay
0ac67c38c3 allow IPv6 SSH for discuss.grapheneos.org 
This could be useful and disabling it isn't necessary for blocking IPv6
connections to the forum.
 2024-03-24 15:41:13 -04:00
Daniel Micay
7b64ffd4cd simplify nftables based on strong host model 2024-03-24 15:22:00 -04:00
Daniel Micay
59984a477c enforce strong host model via nftables 2024-03-24 14:36:24 -04:00
Daniel Micay
ec2cbbdb4e enforce strict reverse path filtering via nftables 2024-03-23 13:35:49 -04:00
Daniel Micay
15a2fa132f disable services on IPv6 for discussion forum 2023-12-22 17:47:49 -05:00
Daniel Micay
5cef4a2aa6 allow geoipupdate internet access for discuss 2023-12-21 09:44:05 -05:00
Daniel Micay
07dca7919d reorder network allowlists for consistency 2022-08-10 11:13:31 -04:00
Daniel Micay
984d0f200f nftables: implement loopback access control 2022-07-25 20:47:29 -04:00
Daniel Micay
ad6e998ec2 nftables: filter input service traffic by dst addr 2022-07-21 19:32:43 -04:00
Daniel Micay
fdf21af1ae nftables: use notrack accept instead of notrack 2022-07-21 17:31:16 -04:00
Daniel Micay
f7da683012 nftables: simplify ICMP handling 2022-07-18 22:14:35 -04:00
Daniel Micay
494247747c add flarum-admin user 2022-07-12 17:36:13 -04:00
Daniel Micay
32074453eb nftables: use numeric port format 2022-06-30 07:02:34 -04:00
Daniel Micay
01f9274fc4 nftables: implement output filtering for loopback 2022-06-30 06:41:52 -04:00
Daniel Micay
e0ab41c4f4 nftables: friendlier output traffic filtering 2022-06-29 21:27:01 -04:00
Daniel Micay
3ca0c347c6 add baseline nftables configurations 2022-06-29 10:53:07 -04:00