Compare commits
3 Commits
cb561de104
...
6a325f8798
Author | SHA1 | Date |
---|---|---|
Daniel Micay | 6a325f8798 | |
Daniel Micay | bd6f127acf | |
Daniel Micay | c412fec336 |
|
@ -45,8 +45,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
|
@ -45,8 +45,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
|
@ -45,8 +45,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
|
@ -45,8 +45,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
|
@ -47,8 +47,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
udp dport 123 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
@ -47,8 +47,7 @@ table inet filter {
|
|||
udp dport 53 notrack accept
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
|
@ -52,8 +52,7 @@ table inet filter {
|
|||
udp dport 53 notrack accept
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
|
@ -45,8 +45,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
|
@ -49,8 +49,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
|
@ -100,9 +100,9 @@ charset-normalizer==3.3.2 \
|
|||
--hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
|
||||
--hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
|
||||
# via requests
|
||||
idna==3.6 \
|
||||
--hash=sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca \
|
||||
--hash=sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f
|
||||
idna==3.7 \
|
||||
--hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \
|
||||
--hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0
|
||||
# via requests
|
||||
ovh==1.1.0 \
|
||||
--hash=sha256:108f9b5a3b471193ce4a4589c7782f4bccbffe0ba03169774eb0472ac28ef679 \
|
||||
|
|
Loading…
Reference in New Issue