Compare commits
2 Commits
b928b197b0
...
a30b95f4af
Author | SHA1 | Date |
---|---|---|
Daniel Micay | a30b95f4af | |
Daniel Micay | ca35fcc648 |
|
@ -45,8 +45,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
|
|
@ -45,8 +45,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
|
|
@ -45,8 +45,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
|
|
@ -47,8 +47,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
udp dport 123 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
|
|
|
@ -47,8 +47,7 @@ table inet filter {
|
|||
udp dport 53 notrack accept
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
|
|
@ -52,8 +52,7 @@ table inet filter {
|
|||
udp dport 53 notrack accept
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
|
|
@ -45,8 +45,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
|
|
@ -49,8 +49,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
|
|
@ -32,6 +32,7 @@ postgresql-old-upgrade
|
|||
pv
|
||||
python-pip
|
||||
python-psycopg2
|
||||
python-pydantic
|
||||
rsync
|
||||
sshpass
|
||||
strace
|
||||
|
|
Loading…
Reference in New Issue