Daniel Micay
27bd153454
nftables: use allowlist for ICMP types
2024-07-25 23:13:29 -04:00
Daniel Micay
ba79d80b52
raise burst value for synproxy threshold
2024-04-26 16:30:49 -04:00
Daniel Micay
c99b8d0b47
nftables: use default drop in prerouting-raw table
2024-04-26 10:42:45 -04:00
Daniel Micay
ee62868a7b
nftables: use standard order for verdict map
2024-04-23 03:30:15 -04:00
Daniel Micay
965bc4f951
nftables: add invalid case to ct state vmap
...
This might as well be dropped by the verdict map instead of falling
through to the default drop policy.
2024-04-23 02:38:40 -04:00
Daniel Micay
5ba6cbd3d1
nftables: simplify rules via untracked state
2024-04-23 02:34:17 -04:00
Daniel Micay
398acc6fe8
nftables: drop instead of reject for unused ports
...
This provides consistency with DDoS protection services placed in front
of the services rather than the behavior changing based on whether DDoS
protection is active. This doesn't help with protecting against attacks
since they'll almost always be targeting ports with services active or
exhausting inbound bandwidth via UDP reflection attacks. This appears to
be the standard approach used by most large tech companies.
2024-04-19 13:54:12 -04:00
Daniel Micay
b17b2f3fd3
nftables: add define for ns2.grapheneos.org anycast IP
2024-04-18 10:45:53 -04:00
Daniel Micay
741ea728ea
nftables: move output skuid checks to raw phase
...
This is a minor simplification and also a minor optimization.
2024-04-17 15:28:16 -04:00
Daniel Micay
7782c861cb
nftables: reorder rule for rejecting SSH via anycast
2024-04-15 23:54:17 -04:00
Daniel Micay
8caa777e11
add connection limit allowlist for mail server
2024-04-15 23:21:26 -04:00
Daniel Micay
dade50c832
nftables: drop unnecessary ssh localhost allowlist
2024-04-15 22:38:36 -04:00
Daniel Micay
bd6f127acf
move nftables configuration to a directory
2024-04-12 21:33:35 -04:00