Commit Graph

13 Commits

Author SHA1 Message Date
Daniel Micay
27bd153454 nftables: use allowlist for ICMP types 2024-07-25 23:13:29 -04:00
Daniel Micay
ba79d80b52 raise burst value for synproxy threshold 2024-04-26 16:30:49 -04:00
Daniel Micay
c99b8d0b47 nftables: use default drop in prerouting-raw table 2024-04-26 10:42:45 -04:00
Daniel Micay
ee62868a7b nftables: use standard order for verdict map 2024-04-23 03:30:15 -04:00
Daniel Micay
965bc4f951 nftables: add invalid case to ct state vmap
This might as well be dropped by the verdict map instead of falling
through to the default drop policy.
2024-04-23 02:38:40 -04:00
Daniel Micay
5ba6cbd3d1 nftables: simplify rules via untracked state 2024-04-23 02:34:17 -04:00
Daniel Micay
398acc6fe8 nftables: drop instead of reject for unused ports
This provides consistency with DDoS protection services placed in front
of the services rather than the behavior changing based on whether DDoS
protection is active. This doesn't help with protecting against attacks
since they'll almost always be targeting ports with services active or
exhausting inbound bandwidth via UDP reflection attacks. This appears to
be the standard approach used by most large tech companies.
2024-04-19 13:54:12 -04:00
Daniel Micay
b17b2f3fd3 nftables: add define for ns2.grapheneos.org anycast IP 2024-04-18 10:45:53 -04:00
Daniel Micay
741ea728ea nftables: move output skuid checks to raw phase
This is a minor simplification and also a minor optimization.
2024-04-17 15:28:16 -04:00
Daniel Micay
7782c861cb nftables: reorder rule for rejecting SSH via anycast 2024-04-15 23:54:17 -04:00
Daniel Micay
8caa777e11 add connection limit allowlist for mail server 2024-04-15 23:21:26 -04:00
Daniel Micay
dade50c832 nftables: drop unnecessary ssh localhost allowlist 2024-04-15 22:38:36 -04:00
Daniel Micay
bd6f127acf move nftables configuration to a directory 2024-04-12 21:33:35 -04:00