update python dependencies

move nftables configuration to a directory
simplify rate limited synproxy bypass
2024-04-12 21:33:35 -04:00 · 2024-04-12 21:33:35 -04:00 · 2024-04-12 21:33:33 -04:00
10 changed files with 12 additions and 21 deletions
--- a/nftables/nftables-attestation.conf
+++ b/nftables/nftables-attestation.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables/nftables-discuss.conf
+++ b/nftables/nftables-discuss.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables/nftables-mail.conf
+++ b/nftables/nftables-mail.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
+        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables/nftables-matrix.conf
+++ b/nftables/nftables-matrix.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables/nftables-network.conf
+++ b/nftables/nftables-network.conf
@ -47,8 +47,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        udp dport 123 notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
--- a/nftables/nftables-ns1.conf
+++ b/nftables/nftables-ns1.conf
@ -47,8 +47,7 @@ table inet filter {
        udp dport 53 notrack accept

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables/nftables-ns2.conf
+++ b/nftables/nftables-ns2.conf
@ -52,8 +52,7 @@ table inet filter {
        udp dport 53 notrack accept

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables/nftables-social.conf
+++ b/nftables/nftables-social.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables/nftables-web.conf
+++ b/nftables/nftables-web.conf
@ -49,8 +49,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/requirements.txt
+++ b/requirements.txt
@ -100,9 +100,9 @@ charset-normalizer==3.3.2 \
    --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
    --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
    # via requests
-idna==3.6 \
-    --hash=sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca \
-    --hash=sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f
+idna==3.7 \
+    --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \
+    --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0
    # via requests
 ovh==1.1.0 \
    --hash=sha256:108f9b5a3b471193ce4a4589c7782f4bccbffe0ba03169774eb0472ac28ef679 \
Author	SHA1	Message	Date
Daniel Micay	6a325f8798	update python dependencies	2024-04-12 21:33:35 -04:00
Daniel Micay	bd6f127acf	move nftables configuration to a directory	2024-04-12 21:33:35 -04:00
Daniel Micay	c412fec336	simplify rate limited synproxy bypass	2024-04-12 21:33:33 -04:00