mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-06-13 08:22:18 +00:00
Compare commits
9 Commits
471a0d6ccc
...
cd3849d355
Author | SHA1 | Date | |
---|---|---|---|
![]() |
cd3849d355 | ||
![]() |
ee62868a7b | ||
![]() |
965bc4f951 | ||
![]() |
5ba6cbd3d1 | ||
![]() |
d369f159a9 | ||
![]() |
9f99e9c3a5 | ||
![]() |
eeaaf12886 | ||
![]() |
4a985cbe29 | ||
![]() |
1bc32489f1 |
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name grapheneos.network \
|
--cert-name grapheneos.network \
|
||||||
-d grapheneos.network \
|
-d grapheneos.network \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name grapheneos.org \
|
--cert-name grapheneos.org \
|
||||||
-d grapheneos.org \
|
-d grapheneos.org \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name releases.grapheneos.org \
|
--cert-name releases.grapheneos.org \
|
||||||
-d releases.grapheneos.org \
|
-d releases.grapheneos.org \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name attestation.app \
|
--cert-name attestation.app \
|
||||||
-d attestation.app \
|
-d attestation.app \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name discuss.grapheneos.org \
|
--cert-name discuss.grapheneos.org \
|
||||||
-d discuss.grapheneos.org
|
-d discuss.grapheneos.org
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name grapheneos.social \
|
--cert-name grapheneos.social \
|
||||||
-d grapheneos.social \
|
-d grapheneos.social \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name matrix.grapheneos.org \
|
--cert-name matrix.grapheneos.org \
|
||||||
-d matrix.grapheneos.org \
|
-d matrix.grapheneos.org \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name mta-sts.mail.grapheneos.org \
|
--cert-name mta-sts.mail.grapheneos.org \
|
||||||
-d mail.grapheneos.org \
|
-d mail.grapheneos.org \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name staging.attestation.app \
|
--cert-name staging.attestation.app \
|
||||||
-d staging.attestation.app
|
-d staging.attestation.app
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name staging.grapheneos.org \
|
--cert-name staging.grapheneos.org \
|
||||||
-d staging.grapheneos.org
|
-d staging.grapheneos.org
|
||||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
iif lo accept
|
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
|
||||||
ct state vmap { new : drop, established : accept, related : accept }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
iif lo accept
|
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
|
||||||
ct state vmap { new : drop, established : accept, related : accept }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
|
|
@ -59,16 +59,14 @@ table inet filter {
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
|
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
|
||||||
iif lo accept
|
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
|
||||||
ct state vmap { new : drop, established : accept, related : accept }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
iif lo accept
|
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
|
||||||
ct state vmap { new : drop, established : accept, related : accept }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
|
|
@ -56,17 +56,14 @@ table inet filter {
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
|
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
|
||||||
iif lo accept
|
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||||
udp dport 123 accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
|
||||||
ct state vmap { new : drop, established : accept, related : accept }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
|
|
@ -49,17 +49,14 @@ table inet filter {
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||||
iif lo accept
|
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||||
udp dport 53 accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
|
||||||
ct state vmap { new : drop, established : accept, related : accept }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
|
|
@ -61,17 +61,14 @@ table inet filter {
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||||
iif lo accept
|
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||||
udp dport 53 accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
|
||||||
ct state vmap { new : drop, established : accept, related : accept }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
iif lo accept
|
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
|
||||||
ct state vmap { new : drop, established : accept, related : accept }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
|
|
@ -57,16 +57,14 @@ table inet filter {
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
iif lo accept
|
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
|
||||||
ct state vmap { new : drop, established : accept, related : accept }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
|
|
@ -14,6 +14,7 @@ moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -15,6 +15,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -18,6 +18,7 @@ moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -15,6 +15,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -13,6 +13,7 @@ moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -17,6 +17,7 @@ moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -13,6 +13,7 @@ moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -17,6 +17,7 @@ moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -13,6 +13,7 @@ moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -17,6 +17,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -41,6 +41,5 @@ sysstat
|
||||||
tree
|
tree
|
||||||
unbound
|
unbound
|
||||||
vim
|
vim
|
||||||
whois
|
|
||||||
xfsprogs
|
xfsprogs
|
||||||
zopfli
|
zopfli
|
||||||
|
|
|
@ -17,6 +17,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
nodejs-lts-iron
|
nodejs-lts-iron
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
|
|
|
@ -16,6 +16,7 @@ moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
|
nmap
|
||||||
opendkim
|
opendkim
|
||||||
opendmarc
|
opendmarc
|
||||||
openssh
|
openssh
|
||||||
|
|
|
@ -21,6 +21,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
nodejs-lts-iron
|
nodejs-lts-iron
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
|
|
|
@ -18,6 +18,7 @@ moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -18,6 +18,7 @@ moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -17,6 +17,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
|
@ -15,6 +15,7 @@ mtr
|
||||||
nftables
|
nftables
|
||||||
nginx
|
nginx
|
||||||
nginx-mod-brotli
|
nginx-mod-brotli
|
||||||
|
nmap
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
|
Loading…
Reference in New Issue
Block a user