diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2025-05-24 20:26:52 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2025-05-24 20:26:52 +0200 |
| commit | 2a45b6837ea381c893d0ebde2f8cce2897331c35 (patch) | |
| tree | 8c04e981d1fdf00afd5d503e62b50fe9daa1fcad /hosts/vidhar/kimai/ruleset.nft | |
| parent | b8c7aac98efdd794de6cc1f8ef935fff05786214 (diff) | |
| download | nixos-2a45b6837ea381c893d0ebde2f8cce2897331c35.tar nixos-2a45b6837ea381c893d0ebde2f8cce2897331c35.tar.gz nixos-2a45b6837ea381c893d0ebde2f8cce2897331c35.tar.bz2 nixos-2a45b6837ea381c893d0ebde2f8cce2897331c35.tar.xz nixos-2a45b6837ea381c893d0ebde2f8cce2897331c35.zip | |
kimai
Diffstat (limited to 'hosts/vidhar/kimai/ruleset.nft')
| -rw-r--r-- | hosts/vidhar/kimai/ruleset.nft | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/hosts/vidhar/kimai/ruleset.nft b/hosts/vidhar/kimai/ruleset.nft new file mode 100644 index 00000000..ad4db6d5 --- /dev/null +++ b/hosts/vidhar/kimai/ruleset.nft | |||
| @@ -0,0 +1,149 @@ | |||
| 1 | define icmp_protos = {ipv6-icmp, icmp, igmp} | ||
| 2 | |||
| 3 | table arp filter { | ||
| 4 | limit lim_arp { | ||
| 5 | rate over 50 mbytes/second burst 50 mbytes | ||
| 6 | } | ||
| 7 | |||
| 8 | counter arp-rx {} | ||
| 9 | counter arp-tx {} | ||
| 10 | |||
| 11 | counter arp-ratelimit-rx {} | ||
| 12 | counter arp-ratelimit-tx {} | ||
| 13 | |||
| 14 | chain input { | ||
| 15 | type filter hook input priority filter | ||
| 16 | policy accept | ||
| 17 | |||
| 18 | limit name lim_arp counter name arp-ratelimit-rx drop | ||
| 19 | |||
| 20 | counter name arp-rx | ||
| 21 | } | ||
| 22 | |||
| 23 | chain output { | ||
| 24 | type filter hook output priority filter | ||
| 25 | policy accept | ||
| 26 | |||
| 27 | limit name lim_arp counter name arp-ratelimit-tx drop | ||
| 28 | |||
| 29 | counter name arp-tx | ||
| 30 | } | ||
| 31 | } | ||
| 32 | |||
| 33 | table inet filter { | ||
| 34 | limit lim_reject { | ||
| 35 | rate over 1000/second burst 1000 packets | ||
| 36 | } | ||
| 37 | |||
| 38 | limit lim_icmp { | ||
| 39 | rate over 50 mbytes/second burst 50 mbytes | ||
| 40 | } | ||
| 41 | |||
| 42 | counter invalid-fw {} | ||
| 43 | counter fw-lo {} | ||
| 44 | |||
| 45 | counter reject-ratelimit-fw {} | ||
| 46 | counter reject-fw {} | ||
| 47 | counter reject-tcp-fw {} | ||
| 48 | counter reject-icmp-fw {} | ||
| 49 | |||
| 50 | counter drop-fw {} | ||
| 51 | |||
| 52 | counter invalid-rx {} | ||
| 53 | |||
| 54 | counter rx-lo {} | ||
| 55 | counter invalid-local4-rx {} | ||
| 56 | counter invalid-local6-rx {} | ||
| 57 | |||
| 58 | counter icmp-ratelimit-rx {} | ||
| 59 | counter icmp-rx {} | ||
| 60 | |||
| 61 | counter kimai-rx {} | ||
| 62 | |||
| 63 | counter established-rx {} | ||
| 64 | |||
| 65 | counter reject-ratelimit-rx {} | ||
| 66 | counter reject-rx {} | ||
| 67 | counter reject-tcp-rx {} | ||
| 68 | counter reject-icmp-rx {} | ||
| 69 | |||
| 70 | counter drop-rx {} | ||
| 71 | |||
| 72 | counter tx-lo {} | ||
| 73 | |||
| 74 | counter icmp-ratelimit-tx {} | ||
| 75 | counter icmp-tx {} | ||
| 76 | |||
| 77 | counter kimai-tx {} | ||
| 78 | |||
| 79 | counter tx {} | ||
| 80 | |||
| 81 | chain forward { | ||
| 82 | type filter hook forward priority filter | ||
| 83 | policy drop | ||
| 84 | |||
| 85 | |||
| 86 | ct state invalid log level debug prefix "kimai: drop invalid forward: " counter name invalid-fw drop | ||
| 87 | |||
| 88 | |||
| 89 | iifname lo counter name fw-lo accept | ||
| 90 | |||
| 91 | |||
| 92 | limit name lim_reject log level debug prefix "kimai: drop forward: " counter name reject-ratelimit-fw drop | ||
| 93 | log level debug prefix "kimai: reject forward: " counter name reject-fw | ||
| 94 | meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset | ||
| 95 | ct state new counter name reject-icmp-fw reject | ||
| 96 | |||
| 97 | |||
| 98 | counter name drop-fw | ||
| 99 | } | ||
| 100 | |||
| 101 | chain input { | ||
| 102 | type filter hook input priority filter | ||
| 103 | policy drop | ||
| 104 | |||
| 105 | |||
| 106 | ct state invalid log level debug prefix "kimai: drop invalid input: " counter name invalid-rx drop | ||
| 107 | |||
| 108 | |||
| 109 | iifname lo counter name rx-lo accept | ||
| 110 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | ||
| 111 | iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject | ||
| 112 | |||
| 113 | |||
| 114 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop | ||
| 115 | meta l4proto $icmp_protos counter name icmp-rx accept | ||
| 116 | |||
| 117 | |||
| 118 | tcp dport 80 counter name kimai-rx accept | ||
| 119 | |||
| 120 | |||
| 121 | ct state { established, related } counter name established-rx accept | ||
| 122 | |||
| 123 | |||
| 124 | limit name lim_reject log level debug prefix "kimai: drop input: " counter name reject-ratelimit-rx drop | ||
| 125 | log level debug prefix "kimai: reject input: " counter name reject-rx | ||
| 126 | meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset | ||
| 127 | ct state new counter name reject-icmp-rx reject | ||
| 128 | |||
| 129 | |||
| 130 | counter name drop-rx | ||
| 131 | } | ||
| 132 | |||
| 133 | chain output { | ||
| 134 | type filter hook output priority filter | ||
| 135 | policy accept | ||
| 136 | |||
| 137 | |||
| 138 | oifname lo counter name tx-lo accept | ||
| 139 | |||
| 140 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop | ||
| 141 | meta l4proto $icmp_protos counter name icmp-tx accept | ||
| 142 | |||
| 143 | |||
| 144 | tcp sport 80 counter name kimai-tx | ||
| 145 | |||
| 146 | |||
| 147 | counter name tx | ||
| 148 | } | ||
| 149 | } | ||