Git-Mirrors
/
graphene-os-server-infrastructure
mirror of https://github.com/GrapheneOS/infrastructure.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git-Mirrors:e462984dbefc47acb919740e5fa7221bc2dfcaea
Branches Tags
Git-Mirrors:main
...
compare: Git-Mirrors:471a0d6ccc29ae59211e27b08efed94b958ce08e
Branches Tags
Git-Mirrors:main

6 Commits
e462984dbe ... 471a0d6ccc

Author SHA1 Message Date
Tommy 471a0d6ccc
Merge eeaaf12886 into 398acc6fe8 2024-04-20 20:23:56 +09:00
Daniel Micay 398acc6fe8 nftables: drop instead of reject for unused ports 
This provides consistency with DDoS protection services placed in front
of the services rather than the behavior changing based on whether DDoS
protection is active. This doesn't help with protecting against attacks
since they'll almost always be targeting ports with services active or
exhausting inbound bandwidth via UDP reflection attacks. This appears to
be the standard approach used by most large tech companies.
 2024-04-19 13:54:12 -04:00
Daniel Micay b17b2f3fd3 nftables: add define for ns2.grapheneos.org anycast IP 2024-04-18 10:45:53 -04:00
Tommy eeaaf12886
Typo fix 2023-09-07 19:57:24 -07:00
Tommy 4a985cbe29
Typo fix 2023-09-07 19:56:43 -07:00
Tommy 1bc32489f1
Use curve secp384r1 2023-09-07 19:51:41 -07:00
19 changed files with 22 additions and 21 deletions
Show Stats Expand all files Collapse all files

2
certbot/0.grapheneos.network
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name grapheneos.network \
-d grapheneos.network \

2
certbot/0.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name grapheneos.org \
-d grapheneos.org \

2
certbot/0.releases.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name releases.grapheneos.org \
-d releases.grapheneos.org \

2
certbot/attestation.app
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name attestation.app \
-d attestation.app \

2
certbot/discuss.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name discuss.grapheneos.org \
-d discuss.grapheneos.org

2
certbot/grapheneos.social
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name grapheneos.social \
-d grapheneos.social \

2
certbot/matrix.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name matrix.grapheneos.org \
-d matrix.grapheneos.org \

2
certbot/mta-sts.mail.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name mta-sts.mail.grapheneos.org \
-d mail.grapheneos.org \

2
certbot/staging.attestation.app
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name staging.attestation.app \
-d staging.attestation.app

2
certbot/staging.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name staging.grapheneos.org \
-d staging.grapheneos.org

2
nftables/nftables-attestation.conf
View File

@ -49,7 +49,7 @@ table inet filter {
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
ct state vmap { new : drop, established : accept, related : accept }
}
chain input-tcp-service {

2
nftables/nftables-discuss.conf
View File

@ -49,7 +49,7 @@ table inet filter {
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
ct state vmap { new : drop, established : accept, related : accept }
}
chain input-tcp-service {

2
nftables/nftables-mail.conf
View File

@ -61,7 +61,7 @@ table inet filter {
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
ct state vmap { new : drop, established : accept, related : accept }
}
chain input-tcp-service {

2
nftables/nftables-matrix.conf
View File

@ -49,7 +49,7 @@ table inet filter {
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
ct state vmap { new : drop, established : accept, related : accept }
}
chain input-tcp-service {

2
nftables/nftables-network.conf
View File

@ -59,7 +59,7 @@ table inet filter {
iif lo accept
udp dport 123 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
ct state vmap { new : drop, established : accept, related : accept }
}
chain input-tcp-service {

2
nftables/nftables-ns1.conf
View File

@ -52,7 +52,7 @@ table inet filter {
iif lo accept
udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
ct state vmap { new : drop, established : accept, related : accept }
}
chain input-tcp-service {

7
nftables/nftables-ns2.conf
View File

@ -3,6 +3,8 @@
flush ruleset
table inet filter {
define ip-anycast = 198.251.90.93
define ip-allowlist-ssh = {
198.98.53.141, # 0.ns2.grapheneos.org
}
@ -46,8 +48,7 @@ table inet filter {
udp dport 53 notrack accept
# reject SSH packets via anycast IP
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
tcp dport 22 ip daddr $ip-anycast drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
@ -63,7 +64,7 @@ table inet filter {
iif lo accept
udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
ct state vmap { new : drop, established : accept, related : accept }
}
chain input-tcp-service {

2
nftables/nftables-social.conf
View File

@ -49,7 +49,7 @@ table inet filter {
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
ct state vmap { new : drop, established : accept, related : accept }
}
chain input-tcp-service {

2
nftables/nftables-web.conf
View File

@ -59,7 +59,7 @@ table inet filter {
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
ct state vmap { new : drop, established : accept, related : accept }
}
chain input-tcp-service {