Compare commits
6 Commits
e462984dbe
...
471a0d6ccc
Author | SHA1 | Date |
---|---|---|
Tommy | 471a0d6ccc | |
Daniel Micay | 398acc6fe8 | |
Daniel Micay | b17b2f3fd3 | |
Tommy | eeaaf12886 | |
Tommy | 4a985cbe29 | |
Tommy | 1bc32489f1 |
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name grapheneos.network \
|
||||
-d grapheneos.network \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name grapheneos.org \
|
||||
-d grapheneos.org \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name releases.grapheneos.org \
|
||||
-d releases.grapheneos.org \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name attestation.app \
|
||||
-d attestation.app \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name discuss.grapheneos.org \
|
||||
-d discuss.grapheneos.org
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name grapheneos.social \
|
||||
-d grapheneos.social \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name matrix.grapheneos.org \
|
||||
-d matrix.grapheneos.org \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name mta-sts.mail.grapheneos.org \
|
||||
-d mail.grapheneos.org \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name staging.attestation.app \
|
||||
-d staging.attestation.app
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name staging.grapheneos.org \
|
||||
-d staging.grapheneos.org
|
||||
|
|
|
@ -49,7 +49,7 @@ table inet filter {
|
|||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
|
|
|
@ -49,7 +49,7 @@ table inet filter {
|
|||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
|
|
|
@ -61,7 +61,7 @@ table inet filter {
|
|||
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
|
|
|
@ -49,7 +49,7 @@ table inet filter {
|
|||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
|
|
|
@ -59,7 +59,7 @@ table inet filter {
|
|||
iif lo accept
|
||||
udp dport 123 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
|
|
|
@ -52,7 +52,7 @@ table inet filter {
|
|||
iif lo accept
|
||||
udp dport 53 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define ip-anycast = 198.251.90.93
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
198.98.53.141, # 0.ns2.grapheneos.org
|
||||
}
|
||||
|
@ -46,8 +48,7 @@ table inet filter {
|
|||
|
||||
udp dport 53 notrack accept
|
||||
|
||||
# reject SSH packets via anycast IP
|
||||
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
||||
tcp dport 22 ip daddr $ip-anycast drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||
|
@ -63,7 +64,7 @@ table inet filter {
|
|||
iif lo accept
|
||||
udp dport 53 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
|
|
|
@ -49,7 +49,7 @@ table inet filter {
|
|||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
|
|
|
@ -59,7 +59,7 @@ table inet filter {
|
|||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
|
|
Loading…
Reference in New Issue