mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-06-14 00:42:19 +00:00
Compare commits
9 Commits
49ca30f3f6
...
d5cd3f681b
Author | SHA1 | Date | |
---|---|---|---|
|
d5cd3f681b | ||
|
7782c861cb | ||
|
8caa777e11 | ||
|
dade50c832 | ||
|
9f84c50869 | ||
|
8278883a84 | ||
|
eeaaf12886 | ||
|
4a985cbe29 | ||
|
1bc32489f1 |
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name grapheneos.network \
|
--cert-name grapheneos.network \
|
||||||
-d grapheneos.network \
|
-d grapheneos.network \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name grapheneos.org \
|
--cert-name grapheneos.org \
|
||||||
-d grapheneos.org \
|
-d grapheneos.org \
|
||||||
|
@ -12,6 +12,8 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
-d www.grapheneos.com \
|
-d www.grapheneos.com \
|
||||||
-d grapheneos.dev \
|
-d grapheneos.dev \
|
||||||
-d www.grapheneos.dev \
|
-d www.grapheneos.dev \
|
||||||
|
-d grapheneos.foundation \
|
||||||
|
-d www.grapheneos.foundation \
|
||||||
-d grapheneos.info \
|
-d grapheneos.info \
|
||||||
-d www.grapheneos.info \
|
-d www.grapheneos.info \
|
||||||
-d grapheneos.net \
|
-d grapheneos.net \
|
||||||
|
|
|
@ -8,6 +8,7 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
-d ns2.grapheneos.ca \
|
-d ns2.grapheneos.ca \
|
||||||
-d ns2.grapheneos.com \
|
-d ns2.grapheneos.com \
|
||||||
-d ns2.grapheneos.dev \
|
-d ns2.grapheneos.dev \
|
||||||
|
-d ns2.grapheneos.foundation \
|
||||||
-d ns2.grapheneos.info \
|
-d ns2.grapheneos.info \
|
||||||
-d ns2.grapheneos.net \
|
-d ns2.grapheneos.net \
|
||||||
-d ns2.grapheneos.network \
|
-d ns2.grapheneos.network \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name releases.grapheneos.org \
|
--cert-name releases.grapheneos.org \
|
||||||
-d releases.grapheneos.org \
|
-d releases.grapheneos.org \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name attestation.app \
|
--cert-name attestation.app \
|
||||||
-d attestation.app \
|
-d attestation.app \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name discuss.grapheneos.org \
|
--cert-name discuss.grapheneos.org \
|
||||||
-d discuss.grapheneos.org
|
-d discuss.grapheneos.org
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name grapheneos.social \
|
--cert-name grapheneos.social \
|
||||||
-d grapheneos.social \
|
-d grapheneos.social \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name matrix.grapheneos.org \
|
--cert-name matrix.grapheneos.org \
|
||||||
-d matrix.grapheneos.org \
|
-d matrix.grapheneos.org \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name mta-sts.mail.grapheneos.org \
|
--cert-name mta-sts.mail.grapheneos.org \
|
||||||
-d mail.grapheneos.org \
|
-d mail.grapheneos.org \
|
||||||
|
@ -10,6 +10,7 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
-d mta-sts.grapheneos.ca \
|
-d mta-sts.grapheneos.ca \
|
||||||
-d mta-sts.grapheneos.com \
|
-d mta-sts.grapheneos.com \
|
||||||
-d mta-sts.grapheneos.dev \
|
-d mta-sts.grapheneos.dev \
|
||||||
|
-d mta-sts.grapheneos.foundation \
|
||||||
-d mta-sts.grapheneos.info \
|
-d mta-sts.grapheneos.info \
|
||||||
-d mta-sts.grapheneos.net \
|
-d mta-sts.grapheneos.net \
|
||||||
-d mta-sts.grapheneos.network \
|
-d mta-sts.grapheneos.network \
|
||||||
|
|
|
@ -8,6 +8,7 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
-d ns1.grapheneos.ca \
|
-d ns1.grapheneos.ca \
|
||||||
-d ns1.grapheneos.com \
|
-d ns1.grapheneos.com \
|
||||||
-d ns1.grapheneos.dev \
|
-d ns1.grapheneos.dev \
|
||||||
|
-d ns1.grapheneos.foundation \
|
||||||
-d ns1.grapheneos.info \
|
-d ns1.grapheneos.info \
|
||||||
-d ns1.grapheneos.net \
|
-d ns1.grapheneos.net \
|
||||||
-d ns1.grapheneos.network \
|
-d ns1.grapheneos.network \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name staging.attestation.app \
|
--cert-name staging.attestation.app \
|
||||||
-d staging.attestation.app
|
-d staging.attestation.app
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name staging.grapheneos.org \
|
--cert-name staging.grapheneos.org \
|
||||||
-d staging.grapheneos.org
|
-d staging.grapheneos.org
|
||||||
|
|
|
@ -3,14 +3,6 @@
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
define ip-allowlist-ssh = {
|
|
||||||
127.0.0.1,
|
|
||||||
}
|
|
||||||
|
|
||||||
define ip6-allowlist-ssh = {
|
|
||||||
::1,
|
|
||||||
}
|
|
||||||
|
|
||||||
set ip-connlimit-ssh {
|
set ip-connlimit-ssh {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags dynamic
|
flags dynamic
|
||||||
|
@ -84,8 +76,8 @@ table inet filter {
|
||||||
# add connections established without synproxy to connection limit sets with limits enforced
|
# add connections established without synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
|
@ -94,8 +86,8 @@ table inet filter {
|
||||||
# add connections established with synproxy to connection limit sets with limits enforced
|
# add connections established with synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
|
|
|
@ -3,14 +3,6 @@
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
define ip-allowlist-ssh = {
|
|
||||||
127.0.0.1,
|
|
||||||
}
|
|
||||||
|
|
||||||
define ip6-allowlist-ssh = {
|
|
||||||
::1,
|
|
||||||
}
|
|
||||||
|
|
||||||
set ip-connlimit-ssh {
|
set ip-connlimit-ssh {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags dynamic
|
flags dynamic
|
||||||
|
@ -84,8 +76,8 @@ table inet filter {
|
||||||
# add connections established without synproxy to connection limit sets with limits enforced
|
# add connections established without synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
|
@ -94,8 +86,8 @@ table inet filter {
|
||||||
# add connections established with synproxy to connection limit sets with limits enforced
|
# add connections established with synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
|
|
|
@ -3,12 +3,16 @@
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
define ip-allowlist-ssh = {
|
define ip-allowlist-main = {
|
||||||
127.0.0.1,
|
51.79.66.27, # attestation.app
|
||||||
|
51.79.52.38, # discuss.grapheneos.org
|
||||||
|
51.79.51.42, # matrix.grapheneos.org
|
||||||
}
|
}
|
||||||
|
|
||||||
define ip6-allowlist-ssh = {
|
define ip6-allowlist-main = {
|
||||||
::1,
|
2607:5300:205:200::7e9, # attestation.app
|
||||||
|
2607:5300:205:200::3c4, # discuss.grapheneos.org
|
||||||
|
2607:5300:205:200::26e1, # matrix.grapheneos.org
|
||||||
}
|
}
|
||||||
|
|
||||||
set ip-connlimit-ssh {
|
set ip-connlimit-ssh {
|
||||||
|
@ -84,20 +88,20 @@ table inet filter {
|
||||||
# add connections established without synproxy to connection limit sets with limits enforced
|
# add connections established without synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
# add connections established with synproxy to connection limit sets with limits enforced
|
# add connections established with synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -3,14 +3,6 @@
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
define ip-allowlist-ssh = {
|
|
||||||
127.0.0.1,
|
|
||||||
}
|
|
||||||
|
|
||||||
define ip6-allowlist-ssh = {
|
|
||||||
::1,
|
|
||||||
}
|
|
||||||
|
|
||||||
set ip-connlimit-ssh {
|
set ip-connlimit-ssh {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags dynamic
|
flags dynamic
|
||||||
|
@ -84,8 +76,8 @@ table inet filter {
|
||||||
# add connections established without synproxy to connection limit sets with limits enforced
|
# add connections established without synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
|
@ -94,8 +86,8 @@ table inet filter {
|
||||||
# add connections established with synproxy to connection limit sets with limits enforced
|
# add connections established with synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
|
|
|
@ -4,12 +4,10 @@ flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
define ip-allowlist-ssh = {
|
define ip-allowlist-ssh = {
|
||||||
127.0.0.1,
|
|
||||||
51.222.159.116, # 0.grapheneos.network
|
51.222.159.116, # 0.grapheneos.network
|
||||||
}
|
}
|
||||||
|
|
||||||
define ip6-allowlist-ssh = {
|
define ip6-allowlist-ssh = {
|
||||||
::1,
|
|
||||||
2607:5300:205:200::2584, # 0.grapheneos.network
|
2607:5300:205:200::2584, # 0.grapheneos.network
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -3,14 +3,6 @@
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
define ip-allowlist-ssh = {
|
|
||||||
127.0.0.1,
|
|
||||||
}
|
|
||||||
|
|
||||||
define ip6-allowlist-ssh = {
|
|
||||||
::1,
|
|
||||||
}
|
|
||||||
|
|
||||||
set ip-connlimit-ssh {
|
set ip-connlimit-ssh {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags dynamic
|
flags dynamic
|
||||||
|
@ -87,8 +79,8 @@ table inet filter {
|
||||||
# add connections established without synproxy to connection limit sets with limits enforced
|
# add connections established without synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
|
@ -97,8 +89,8 @@ table inet filter {
|
||||||
# add connections established with synproxy to connection limit sets with limits enforced
|
# add connections established with synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
|
|
|
@ -4,12 +4,10 @@ flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
define ip-allowlist-ssh = {
|
define ip-allowlist-ssh = {
|
||||||
127.0.0.1,
|
|
||||||
198.98.53.141, # 0.ns2.grapheneos.org
|
198.98.53.141, # 0.ns2.grapheneos.org
|
||||||
}
|
}
|
||||||
|
|
||||||
define ip6-allowlist-ssh = {
|
define ip6-allowlist-ssh = {
|
||||||
::1,
|
|
||||||
2605:6400:10:102e:95bc:89ef:2e7f:49bb, # 0.ns2.grapheneos.org
|
2605:6400:10:102e:95bc:89ef:2e7f:49bb, # 0.ns2.grapheneos.org
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -46,11 +44,11 @@ table inet filter {
|
||||||
# ordered after accepting loopback to permit using external IPs via loopback
|
# ordered after accepting loopback to permit using external IPs via loopback
|
||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
|
udp dport 53 notrack accept
|
||||||
|
|
||||||
# reject SSH packets via anycast IP
|
# reject SSH packets via anycast IP
|
||||||
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
||||||
|
|
||||||
udp dport 53 notrack accept
|
|
||||||
|
|
||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||||
|
|
||||||
|
|
|
@ -3,14 +3,6 @@
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
define ip-allowlist-ssh = {
|
|
||||||
127.0.0.1,
|
|
||||||
}
|
|
||||||
|
|
||||||
define ip6-allowlist-ssh = {
|
|
||||||
::1,
|
|
||||||
}
|
|
||||||
|
|
||||||
set ip-connlimit-ssh {
|
set ip-connlimit-ssh {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags dynamic
|
flags dynamic
|
||||||
|
@ -84,8 +76,8 @@ table inet filter {
|
||||||
# add connections established without synproxy to connection limit sets with limits enforced
|
# add connections established without synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
|
@ -94,8 +86,8 @@ table inet filter {
|
||||||
# add connections established with synproxy to connection limit sets with limits enforced
|
# add connections established with synproxy to connection limit sets with limits enforced
|
||||||
chain input-tcp-service-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
|
|
|
@ -4,13 +4,11 @@ flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
define ip-allowlist-ssh = {
|
define ip-allowlist-ssh = {
|
||||||
127.0.0.1,
|
|
||||||
51.222.156.101, # 0.grapheneos.org
|
51.222.156.101, # 0.grapheneos.org
|
||||||
167.114.114.114, # 0.releases.grapheneos.org
|
167.114.114.114, # 0.releases.grapheneos.org
|
||||||
}
|
}
|
||||||
|
|
||||||
define ip6-allowlist-ssh = {
|
define ip6-allowlist-ssh = {
|
||||||
::1,
|
|
||||||
2607:5300:205:200::29c6, # 0.grapheneos.org
|
2607:5300:205:200::29c6, # 0.grapheneos.org
|
||||||
2607:5300:201:3100::6210, # 0.releases.grapheneos.org
|
2607:5300:201:3100::6210, # 0.releases.grapheneos.org
|
||||||
}
|
}
|
||||||
|
|
|
@ -28,6 +28,10 @@ server:
|
||||||
# AF21
|
# AF21
|
||||||
ip-dscp: 18
|
ip-dscp: 18
|
||||||
|
|
||||||
|
# force DMARC enforcement
|
||||||
|
local-zone: "_dmarc.gmail.com" static
|
||||||
|
local-data: '_dmarc.gmail.com 600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:mailauth-reports@google.com"'
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "."
|
name: "."
|
||||||
forward-tls-upstream: yes
|
forward-tls-upstream: yes
|
||||||
|
|
Loading…
Reference in New Issue
Block a user