Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-06-14 00:42:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git-Mirrors:49ca30f3f6aa9968a25dd36e694398967a5c6f07
Branches Tags
Git-Mirrors:main
...
compare: Git-Mirrors:d5cd3f681b36c2bbc619c1cebde20503d717960f
Branches Tags
Git-Mirrors:main

9 Commits
49ca30f3f6 ... d5cd3f681b

Author SHA1 Message Date
Tommy
d5cd3f681b
Merge eeaaf12886 into 7782c861cb 2024-04-17 10:06:39 +02:00
Daniel Micay
7782c861cb nftables: reorder rule for rejecting SSH via anycast 2024-04-15 23:54:17 -04:00
Daniel Micay
8caa777e11 add connection limit allowlist for mail server 2024-04-15 23:21:26 -04:00
Daniel Micay
dade50c832 nftables: drop unnecessary ssh localhost allowlist 2024-04-15 22:38:36 -04:00
Daniel Micay
9f84c50869 force DMARC enforcement for gmail.com 2024-04-15 11:42:03 -04:00
Daniel Micay
8278883a84 add grapheneos.foundation domain 2024-04-13 19:18:03 -04:00
Tommy
eeaaf12886
Typo fix 2023-09-07 19:57:24 -07:00
Tommy
4a985cbe29
Typo fix 2023-09-07 19:56:43 -07:00
Tommy
1bc32489f1
Use curve secp384r1 2023-09-07 19:51:41 -07:00
22 changed files with 57 additions and 90 deletions
Show Stats Expand all files Collapse all files

2
certbot/0.grapheneos.network
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \ --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name grapheneos.network \ --cert-name grapheneos.network \
-d grapheneos.network \ -d grapheneos.network \

4
certbot/0.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \ --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name grapheneos.org \ --cert-name grapheneos.org \
-d grapheneos.org \ -d grapheneos.org \
@ -12,6 +12,8 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
-d www.grapheneos.com \ -d www.grapheneos.com \
-d grapheneos.dev \ -d grapheneos.dev \
-d www.grapheneos.dev \ -d www.grapheneos.dev \
-d grapheneos.foundation \
-d www.grapheneos.foundation \
-d grapheneos.info \ -d grapheneos.info \
-d www.grapheneos.info \ -d www.grapheneos.info \
-d grapheneos.net \ -d grapheneos.net \

1
certbot/0.ns2.grapheneos.org
View File

@ -8,6 +8,7 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
-d ns2.grapheneos.ca \ -d ns2.grapheneos.ca \
-d ns2.grapheneos.com \ -d ns2.grapheneos.com \
-d ns2.grapheneos.dev \ -d ns2.grapheneos.dev \
-d ns2.grapheneos.foundation \
-d ns2.grapheneos.info \ -d ns2.grapheneos.info \
-d ns2.grapheneos.net \ -d ns2.grapheneos.net \
-d ns2.grapheneos.network \ -d ns2.grapheneos.network \

2
certbot/0.releases.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \ --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name releases.grapheneos.org \ --cert-name releases.grapheneos.org \
-d releases.grapheneos.org \ -d releases.grapheneos.org \

2
certbot/attestation.app
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \ --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name attestation.app \ --cert-name attestation.app \
-d attestation.app \ -d attestation.app \

2
certbot/discuss.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \ --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name discuss.grapheneos.org \ --cert-name discuss.grapheneos.org \
-d discuss.grapheneos.org -d discuss.grapheneos.org

2
certbot/grapheneos.social
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \ --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name grapheneos.social \ --cert-name grapheneos.social \
-d grapheneos.social \ -d grapheneos.social \

2
certbot/matrix.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \ --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name matrix.grapheneos.org \ --cert-name matrix.grapheneos.org \
-d matrix.grapheneos.org \ -d matrix.grapheneos.org \

3
certbot/mta-sts.mail.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \ --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name mta-sts.mail.grapheneos.org \ --cert-name mta-sts.mail.grapheneos.org \
-d mail.grapheneos.org \ -d mail.grapheneos.org \
@ -10,6 +10,7 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
-d mta-sts.grapheneos.ca \ -d mta-sts.grapheneos.ca \
-d mta-sts.grapheneos.com \ -d mta-sts.grapheneos.com \
-d mta-sts.grapheneos.dev \ -d mta-sts.grapheneos.dev \
-d mta-sts.grapheneos.foundation \
-d mta-sts.grapheneos.info \ -d mta-sts.grapheneos.info \
-d mta-sts.grapheneos.net \ -d mta-sts.grapheneos.net \
-d mta-sts.grapheneos.network \ -d mta-sts.grapheneos.network \

1
certbot/ns1.grapheneos.org
View File

@ -8,6 +8,7 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
-d ns1.grapheneos.ca \ -d ns1.grapheneos.ca \
-d ns1.grapheneos.com \ -d ns1.grapheneos.com \
-d ns1.grapheneos.dev \ -d ns1.grapheneos.dev \
-d ns1.grapheneos.foundation \
-d ns1.grapheneos.info \ -d ns1.grapheneos.info \
-d ns1.grapheneos.net \ -d ns1.grapheneos.net \
-d ns1.grapheneos.network \ -d ns1.grapheneos.network \

2
certbot/staging.attestation.app
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \ --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name staging.attestation.app \ --cert-name staging.attestation.app \
-d staging.attestation.app -d staging.attestation.app

2
certbot/staging.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \ --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name staging.grapheneos.org \ --cert-name staging.grapheneos.org \
-d staging.grapheneos.org -d staging.grapheneos.org

16
nftables/nftables-attestation.conf
View File

@ -3,14 +3,6 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = {
127.0.0.1,
}
define ip6-allowlist-ssh = {
::1,
}
set ip-connlimit-ssh { set ip-connlimit-ssh {
type ipv4_addr type ipv4_addr
flags dynamic flags dynamic
@ -84,8 +76,8 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
@ -94,8 +86,8 @@ table inet filter {
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept

16
nftables/nftables-discuss.conf
View File

@ -3,14 +3,6 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = {
127.0.0.1,
}
define ip6-allowlist-ssh = {
::1,
}
set ip-connlimit-ssh { set ip-connlimit-ssh {
type ipv4_addr type ipv4_addr
flags dynamic flags dynamic
@ -84,8 +76,8 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
@ -94,8 +86,8 @@ table inet filter {
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept

28
nftables/nftables-mail.conf
View File

@ -3,12 +3,16 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = { define ip-allowlist-main = {
127.0.0.1, 51.79.66.27, # attestation.app
51.79.52.38, # discuss.grapheneos.org
51.79.51.42, # matrix.grapheneos.org
} }
define ip6-allowlist-ssh = { define ip6-allowlist-main = {
::1, 2607:5300:205:200::7e9, # attestation.app
2607:5300:205:200::3c4, # discuss.grapheneos.org
2607:5300:205:200::26e1, # matrix.grapheneos.org
} }
set ip-connlimit-ssh { set ip-connlimit-ssh {
@ -84,20 +88,20 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }

16
nftables/nftables-matrix.conf
View File

@ -3,14 +3,6 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = {
127.0.0.1,
}
define ip6-allowlist-ssh = {
::1,
}
set ip-connlimit-ssh { set ip-connlimit-ssh {
type ipv4_addr type ipv4_addr
flags dynamic flags dynamic
@ -84,8 +76,8 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
@ -94,8 +86,8 @@ table inet filter {
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept

2
nftables/nftables-network.conf
View File

@ -4,12 +4,10 @@ flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
127.0.0.1,
51.222.159.116, # 0.grapheneos.network 51.222.159.116, # 0.grapheneos.network
} }
define ip6-allowlist-ssh = { define ip6-allowlist-ssh = {
::1,
2607:5300:205:200::2584, # 0.grapheneos.network 2607:5300:205:200::2584, # 0.grapheneos.network
} }

16
nftables/nftables-ns1.conf
View File

@ -3,14 +3,6 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = {
127.0.0.1,
}
define ip6-allowlist-ssh = {
::1,
}
set ip-connlimit-ssh { set ip-connlimit-ssh {
type ipv4_addr type ipv4_addr
flags dynamic flags dynamic
@ -87,8 +79,8 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
@ -97,8 +89,8 @@ table inet filter {
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept

6
nftables/nftables-ns2.conf
View File

@ -4,12 +4,10 @@ flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
127.0.0.1,
198.98.53.141, # 0.ns2.grapheneos.org 198.98.53.141, # 0.ns2.grapheneos.org
} }
define ip6-allowlist-ssh = { define ip6-allowlist-ssh = {
::1,
2605:6400:10:102e:95bc:89ef:2e7f:49bb, # 0.ns2.grapheneos.org 2605:6400:10:102e:95bc:89ef:2e7f:49bb, # 0.ns2.grapheneos.org
} }
@ -46,11 +44,11 @@ table inet filter {
# ordered after accepting loopback to permit using external IPs via loopback # ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport 53 notrack accept
# reject SSH packets via anycast IP # reject SSH packets via anycast IP
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
udp dport 53 notrack accept
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

16
nftables/nftables-social.conf
View File

@ -3,14 +3,6 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = {
127.0.0.1,
}
define ip6-allowlist-ssh = {
::1,
}
set ip-connlimit-ssh { set ip-connlimit-ssh {
type ipv4_addr type ipv4_addr
flags dynamic flags dynamic
@ -84,8 +76,8 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
@ -94,8 +86,8 @@ table inet filter {
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept

2
nftables/nftables-web.conf
View File

@ -4,13 +4,11 @@ flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
127.0.0.1,
51.222.156.101, # 0.grapheneos.org 51.222.156.101, # 0.grapheneos.org
167.114.114.114, # 0.releases.grapheneos.org 167.114.114.114, # 0.releases.grapheneos.org
} }
define ip6-allowlist-ssh = { define ip6-allowlist-ssh = {
::1,
2607:5300:205:200::29c6, # 0.grapheneos.org 2607:5300:205:200::29c6, # 0.grapheneos.org
2607:5300:201:3100::6210, # 0.releases.grapheneos.org 2607:5300:201:3100::6210, # 0.releases.grapheneos.org
} }

4
unbound.conf
View File

@ -28,6 +28,10 @@ server:
# AF21 # AF21
ip-dscp: 18 ip-dscp: 18
# force DMARC enforcement
local-zone: "_dmarc.gmail.com" static
local-data: '_dmarc.gmail.com 600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:mailauth-reports@google.com"'
forward-zone: forward-zone:
name: "." name: "."
forward-tls-upstream: yes forward-tls-upstream: yes