Git-Mirrors
/
graphene-os-server-infrastructure
mirror of https://github.com/GrapheneOS/infrastructure.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git-Mirrors:d369f159a90a99d86d9e143c5d4e24a4401c8564
Branches Tags
Git-Mirrors:main
...
compare: Git-Mirrors:ee62868a7b6c04fb62abf1bf9babd9234d1eada2
Branches Tags
Git-Mirrors:main

3 Commits
d369f159a9 ... ee62868a7b

Author SHA1 Message Date
Daniel Micay ee62868a7b nftables: use standard order for verdict map 2024-04-23 03:30:15 -04:00
Daniel Micay 965bc4f951 nftables: add invalid case to ct state vmap 
This might as well be dropped by the verdict map instead of falling
through to the default drop policy.
 2024-04-23 02:38:40 -04:00
Daniel Micay 5ba6cbd3d1 nftables: simplify rules via untracked state 2024-04-23 02:34:17 -04:00
9 changed files with 18 additions and 39 deletions
Show Stats Expand all files Collapse all files

6
nftables/nftables-attestation.conf
View File

@ -47,16 +47,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

6
nftables/nftables-discuss.conf
View File

@ -47,16 +47,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

6
nftables/nftables-mail.conf
View File

@ -59,16 +59,14 @@ table inet filter {
policy drop
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

6
nftables/nftables-matrix.conf
View File

@ -47,16 +47,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

7
nftables/nftables-network.conf
View File

@ -56,17 +56,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
iif lo accept
udp dport 123 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

7
nftables/nftables-ns1.conf
View File

@ -49,17 +49,14 @@ table inet filter {
policy drop
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
iif lo accept
udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

7
nftables/nftables-ns2.conf
View File

@ -61,17 +61,14 @@ table inet filter {
policy drop
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
iif lo accept
udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

6
nftables/nftables-social.conf
View File

@ -47,16 +47,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

6
nftables/nftables-web.conf
View File

@ -57,16 +57,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset