Commit Graph

7 Commits

Author SHA1 Message Date
Daniel Micay
5ba6cbd3d1 nftables: simplify rules via untracked state 2024-04-23 02:34:17 -04:00
Daniel Micay
398acc6fe8 nftables: drop instead of reject for unused ports
This provides consistency with DDoS protection services placed in front
of the services rather than the behavior changing based on whether DDoS
protection is active. This doesn't help with protecting against attacks
since they'll almost always be targeting ports with services active or
exhausting inbound bandwidth via UDP reflection attacks. This appears to
be the standard approach used by most large tech companies.
2024-04-19 13:54:12 -04:00
Daniel Micay
b17b2f3fd3 nftables: add define for ns2.grapheneos.org anycast IP 2024-04-18 10:45:53 -04:00
Daniel Micay
741ea728ea nftables: move output skuid checks to raw phase
This is a minor simplification and also a minor optimization.
2024-04-17 15:28:16 -04:00
Daniel Micay
7782c861cb nftables: reorder rule for rejecting SSH via anycast 2024-04-15 23:54:17 -04:00
Daniel Micay
dade50c832 nftables: drop unnecessary ssh localhost allowlist 2024-04-15 22:38:36 -04:00
Daniel Micay
bd6f127acf move nftables configuration to a directory 2024-04-12 21:33:35 -04:00