Compare commits
5 Commits
d5cd3f681b
...
e462984dbe
Author | SHA1 | Date |
---|---|---|
Tommy | e462984dbe | |
Daniel Micay | 741ea728ea | |
Tommy | eeaaf12886 | |
Tommy | 4a985cbe29 | |
Tommy | 1bc32489f1 |
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name grapheneos.network \
|
--cert-name grapheneos.network \
|
||||||
-d grapheneos.network \
|
-d grapheneos.network \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name grapheneos.org \
|
--cert-name grapheneos.org \
|
||||||
-d grapheneos.org \
|
-d grapheneos.org \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name releases.grapheneos.org \
|
--cert-name releases.grapheneos.org \
|
||||||
-d releases.grapheneos.org \
|
-d releases.grapheneos.org \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name attestation.app \
|
--cert-name attestation.app \
|
||||||
-d attestation.app \
|
-d attestation.app \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name discuss.grapheneos.org \
|
--cert-name discuss.grapheneos.org \
|
||||||
-d discuss.grapheneos.org
|
-d discuss.grapheneos.org
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name grapheneos.social \
|
--cert-name grapheneos.social \
|
||||||
-d grapheneos.social \
|
-d grapheneos.social \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name matrix.grapheneos.org \
|
--cert-name matrix.grapheneos.org \
|
||||||
-d matrix.grapheneos.org \
|
-d matrix.grapheneos.org \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name mta-sts.mail.grapheneos.org \
|
--cert-name mta-sts.mail.grapheneos.org \
|
||||||
-d mail.grapheneos.org \
|
-d mail.grapheneos.org \
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name staging.attestation.app \
|
--cert-name staging.attestation.app \
|
||||||
-d staging.attestation.app
|
-d staging.attestation.app
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
--cert-name staging.grapheneos.org \
|
--cert-name staging.grapheneos.org \
|
||||||
-d staging.grapheneos.org
|
-d staging.grapheneos.org
|
||||||
|
|
|
@ -101,26 +101,20 @@ table inet filter {
|
||||||
chain output-raw {
|
chain output-raw {
|
||||||
type filter hook output priority raw
|
type filter hook output priority raw
|
||||||
|
|
||||||
oif lo notrack accept
|
oif lo goto output-raw-loopback
|
||||||
|
skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output-raw-loopback {
|
||||||
type filter hook output priority filter
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 notrack accept
|
||||||
|
skuid { chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 notrack accept
|
||||||
|
|
||||||
oif lo goto output-loopback
|
skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 notrack accept
|
||||||
skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject
|
skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 notrack accept
|
||||||
}
|
|
||||||
|
|
||||||
chain output-loopback {
|
|
||||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 accept
|
|
||||||
skuid { chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 accept
|
|
||||||
|
|
||||||
skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 accept
|
|
||||||
skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 accept
|
|
||||||
|
|
||||||
skuid != root counter goto graceful-reject
|
skuid != root counter goto graceful-reject
|
||||||
accept
|
notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain graceful-reject {
|
chain graceful-reject {
|
||||||
|
|
|
@ -101,23 +101,17 @@ table inet filter {
|
||||||
chain output-raw {
|
chain output-raw {
|
||||||
type filter hook output priority raw
|
type filter hook output priority raw
|
||||||
|
|
||||||
oif lo notrack accept
|
oif lo goto output-raw-loopback
|
||||||
|
skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output-raw-loopback {
|
||||||
type filter hook output priority filter
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
|
||||||
|
skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
|
||||||
oif lo goto output-loopback
|
|
||||||
skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject
|
|
||||||
}
|
|
||||||
|
|
||||||
chain output-loopback {
|
|
||||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
|
||||||
skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
|
||||||
|
|
||||||
skuid != root counter goto graceful-reject
|
skuid != root counter goto graceful-reject
|
||||||
accept
|
notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain graceful-reject {
|
chain graceful-reject {
|
||||||
|
|
|
@ -113,23 +113,17 @@ table inet filter {
|
||||||
chain output-raw {
|
chain output-raw {
|
||||||
type filter hook output priority raw
|
type filter hook output priority raw
|
||||||
|
|
||||||
oif lo notrack accept
|
oif lo goto output-raw-loopback
|
||||||
|
skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output-raw-loopback {
|
||||||
type filter hook output priority filter
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
|
||||||
|
skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
|
||||||
oif lo goto output-loopback
|
|
||||||
skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject
|
|
||||||
}
|
|
||||||
|
|
||||||
chain output-loopback {
|
|
||||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
|
||||||
skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
|
||||||
|
|
||||||
skuid != root counter goto graceful-reject
|
skuid != root counter goto graceful-reject
|
||||||
accept
|
notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain graceful-reject {
|
chain graceful-reject {
|
||||||
|
|
|
@ -101,33 +101,27 @@ table inet filter {
|
||||||
chain output-raw {
|
chain output-raw {
|
||||||
type filter hook output priority raw
|
type filter hook output priority raw
|
||||||
|
|
||||||
oif lo notrack accept
|
oif lo goto output-raw-loopback
|
||||||
|
skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output-raw-loopback {
|
||||||
type filter hook output priority filter
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 notrack accept
|
||||||
|
skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 notrack accept
|
||||||
|
|
||||||
oif lo goto output-loopback
|
skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 notrack accept
|
||||||
skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject
|
|
||||||
}
|
|
||||||
|
|
||||||
chain output-loopback {
|
skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 notrack accept
|
||||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 accept
|
skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 notrack accept
|
||||||
skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 accept
|
skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 notrack accept
|
||||||
|
|
||||||
skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept
|
skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 notrack accept
|
||||||
|
skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 notrack accept
|
||||||
skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 accept
|
skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 notrack accept
|
||||||
skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
|
|
||||||
skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
|
|
||||||
|
|
||||||
skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 accept
|
|
||||||
skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
|
|
||||||
skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
|
|
||||||
|
|
||||||
skuid != root counter goto graceful-reject
|
skuid != root counter goto graceful-reject
|
||||||
accept
|
notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain graceful-reject {
|
chain graceful-reject {
|
||||||
|
|
|
@ -111,24 +111,18 @@ table inet filter {
|
||||||
chain output-raw {
|
chain output-raw {
|
||||||
type filter hook output priority raw
|
type filter hook output priority raw
|
||||||
|
|
||||||
oif lo notrack accept
|
oif lo goto output-raw-loopback
|
||||||
|
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
|
||||||
udp sport 123 notrack accept
|
udp sport 123 notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output-raw-loopback {
|
||||||
type filter hook output priority filter
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
|
||||||
|
skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
|
||||||
oif lo goto output-loopback
|
|
||||||
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
|
|
||||||
}
|
|
||||||
|
|
||||||
chain output-loopback {
|
|
||||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
|
||||||
skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
|
||||||
|
|
||||||
skuid != root counter goto graceful-reject
|
skuid != root counter goto graceful-reject
|
||||||
accept
|
notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain graceful-reject {
|
chain graceful-reject {
|
||||||
|
|
|
@ -104,29 +104,23 @@ table inet filter {
|
||||||
chain output-raw {
|
chain output-raw {
|
||||||
type filter hook output priority raw
|
type filter hook output priority raw
|
||||||
|
|
||||||
oif lo notrack accept
|
oif lo goto output-raw-loopback
|
||||||
|
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
|
||||||
udp sport 53 notrack accept
|
udp sport 53 notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output-raw-loopback {
|
||||||
type filter hook output priority filter
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
|
||||||
|
skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
|
||||||
|
|
||||||
oif lo goto output-loopback
|
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept
|
||||||
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
|
skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept
|
||||||
}
|
|
||||||
|
|
||||||
chain output-loopback {
|
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept
|
||||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
|
||||||
skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
|
||||||
|
|
||||||
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept
|
|
||||||
skuid http meta l4proto tcp th sport >= 1024 th dport 54 accept
|
|
||||||
|
|
||||||
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
|
|
||||||
|
|
||||||
skuid != root counter goto graceful-reject
|
skuid != root counter goto graceful-reject
|
||||||
accept
|
notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain graceful-reject {
|
chain graceful-reject {
|
||||||
|
|
|
@ -115,29 +115,23 @@ table inet filter {
|
||||||
chain output-raw {
|
chain output-raw {
|
||||||
type filter hook output priority raw
|
type filter hook output priority raw
|
||||||
|
|
||||||
oif lo notrack accept
|
oif lo goto output-raw-loopback
|
||||||
|
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
|
||||||
udp sport 53 notrack accept
|
udp sport 53 notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output-raw-loopback {
|
||||||
type filter hook output priority filter
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
|
||||||
|
skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
|
||||||
|
|
||||||
oif lo goto output-loopback
|
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept
|
||||||
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
|
skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept
|
||||||
}
|
|
||||||
|
|
||||||
chain output-loopback {
|
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept
|
||||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
|
||||||
skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
|
||||||
|
|
||||||
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept
|
|
||||||
skuid http meta l4proto tcp th sport >= 1024 th dport 54 accept
|
|
||||||
|
|
||||||
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
|
|
||||||
|
|
||||||
skuid != root counter goto graceful-reject
|
skuid != root counter goto graceful-reject
|
||||||
accept
|
notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain graceful-reject {
|
chain graceful-reject {
|
||||||
|
|
|
@ -101,25 +101,19 @@ table inet filter {
|
||||||
chain output-raw {
|
chain output-raw {
|
||||||
type filter hook output priority raw
|
type filter hook output priority raw
|
||||||
|
|
||||||
oif lo notrack accept
|
oif lo goto output-raw-loopback
|
||||||
|
skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output-raw-loopback {
|
||||||
type filter hook output priority filter
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
|
||||||
|
skuid { chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
|
||||||
|
|
||||||
oif lo goto output-loopback
|
skuid postgres udp sport >= 1024 udp dport >= 1024 notrack accept
|
||||||
skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject
|
|
||||||
}
|
|
||||||
|
|
||||||
chain output-loopback {
|
|
||||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
|
||||||
skuid { chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
|
||||||
|
|
||||||
skuid postgres udp sport >= 1024 udp dport >= 1024 accept
|
|
||||||
|
|
||||||
skuid != root counter goto graceful-reject
|
skuid != root counter goto graceful-reject
|
||||||
accept
|
notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain graceful-reject {
|
chain graceful-reject {
|
||||||
|
|
|
@ -111,23 +111,17 @@ table inet filter {
|
||||||
chain output-raw {
|
chain output-raw {
|
||||||
type filter hook output priority raw
|
type filter hook output priority raw
|
||||||
|
|
||||||
oif lo notrack accept
|
oif lo goto output-raw-loopback
|
||||||
|
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output-raw-loopback {
|
||||||
type filter hook output priority filter
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
|
||||||
|
skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
|
||||||
oif lo goto output-loopback
|
|
||||||
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
|
|
||||||
}
|
|
||||||
|
|
||||||
chain output-loopback {
|
|
||||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
|
||||||
skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
|
||||||
|
|
||||||
skuid != root counter goto graceful-reject
|
skuid != root counter goto graceful-reject
|
||||||
accept
|
notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain graceful-reject {
|
chain graceful-reject {
|
||||||
|
|
Loading…
Reference in New Issue