diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-04-09 00:12:45 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-04-09 00:12:45 +0200 |
| commit | ebd289d241a4e87c6e57ee3768d697d610d3699b (patch) | |
| tree | 30b1c0a27ee94f0208b9b62e3f5f1f58b1c8b6ca /hosts | |
| parent | e1e238a348d341cdae1fc951e5e5f00b2c0c4743 (diff) | |
| download | nixos-ebd289d241a4e87c6e57ee3768d697d610d3699b.tar nixos-ebd289d241a4e87c6e57ee3768d697d610d3699b.tar.gz nixos-ebd289d241a4e87c6e57ee3768d697d610d3699b.tar.bz2 nixos-ebd289d241a4e87c6e57ee3768d697d610d3699b.tar.xz nixos-ebd289d241a4e87c6e57ee3768d697d610d3699b.zip | |
...
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/surtr/ruleset.nft | 177 | ||||
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 4 |
2 files changed, 133 insertions, 48 deletions
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index b7216948..3701d119 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft | |||
| @@ -5,22 +5,28 @@ table arp filter { | |||
| 5 | rate over 50 mbytes/second burst 50 mbytes | 5 | rate over 50 mbytes/second burst 50 mbytes |
| 6 | } | 6 | } |
| 7 | 7 | ||
| 8 | counter arp-rx {} | ||
| 9 | counter arp-tx {} | ||
| 10 | |||
| 11 | counter arp-ratelimit-rx {} | ||
| 12 | counter arp-ratelimit-tx {} | ||
| 13 | |||
| 8 | chain input { | 14 | chain input { |
| 9 | type filter hook input priority filter | 15 | type filter hook input priority filter |
| 10 | policy accept | 16 | policy accept |
| 11 | 17 | ||
| 12 | limit name lim_arp counter drop | 18 | limit name lim_arp counter name arp-ratelimit-rx drop |
| 13 | 19 | ||
| 14 | counter | 20 | counter name arp-rx |
| 15 | } | 21 | } |
| 16 | 22 | ||
| 17 | chain output { | 23 | chain output { |
| 18 | type filter hook output priority filter | 24 | type filter hook output priority filter |
| 19 | policy accept | 25 | policy accept |
| 20 | 26 | ||
| 21 | limit name lim_arp counter drop | 27 | limit name lim_arp counter name arp-ratelimit-tx drop |
| 22 | 28 | ||
| 23 | counter | 29 | counter name arp-tx |
| 24 | } | 30 | } |
| 25 | } | 31 | } |
| 26 | 32 | ||
| @@ -33,36 +39,98 @@ table inet filter { | |||
| 33 | rate over 50 mbytes/second burst 50 mbytes | 39 | rate over 50 mbytes/second burst 50 mbytes |
| 34 | } | 40 | } |
| 35 | 41 | ||
| 42 | counter invalid-fw {} | ||
| 43 | counter fw-lo {} | ||
| 44 | counter fw-bifrost {} | ||
| 45 | counter fw-inet {} | ||
| 46 | |||
| 47 | counter icmp-ratelimit-vpn-fw {} | ||
| 48 | counter icmp-ratelimit-established-fw {} | ||
| 49 | counter icmp-ratelimit-inet-fw {} | ||
| 50 | |||
| 51 | counter icmp-vpn-fw {} | ||
| 52 | counter icmp-established-fw {} | ||
| 53 | counter icmp-inet-fw {} | ||
| 54 | |||
| 55 | counter reject-ratelimit-fw {} | ||
| 56 | counter reject-fw {} | ||
| 57 | counter reject-tcp-fw {} | ||
| 58 | counter reject-icmp-fw {} | ||
| 59 | |||
| 60 | counter invalid-rx {} | ||
| 61 | |||
| 62 | counter rx-lo {} | ||
| 63 | counter invalid-local4-rx {} | ||
| 64 | counter invalid-local6-rx {} | ||
| 65 | |||
| 66 | counter icmp-ratelimit-rx {} | ||
| 67 | counter icmp-rx {} | ||
| 68 | |||
| 69 | counter ssh-rx {} | ||
| 70 | counter mosh-rx {} | ||
| 71 | |||
| 72 | counter wg-rx {} | ||
| 73 | counter yggdrasil-gre-rx {} | ||
| 74 | |||
| 75 | counter dns-rx {} | ||
| 76 | counter http-rx {} | ||
| 77 | counter stun-rx {} | ||
| 78 | counter turn-rx {} | ||
| 79 | |||
| 80 | counter established-rx {} | ||
| 81 | |||
| 82 | counter reject-ratelimit-rx {} | ||
| 83 | counter reject-rx {} | ||
| 84 | counter reject-tcp-rx {} | ||
| 85 | counter reject-icmp-rx {} | ||
| 86 | |||
| 87 | counter drop-rx {} | ||
| 88 | |||
| 89 | counter tx-lo {} | ||
| 90 | |||
| 91 | counter icmp-ratelimit-tx {} | ||
| 92 | counter icmp-tx {} | ||
| 93 | |||
| 94 | counter ssh-tx {} | ||
| 95 | counter mosh-tx {} | ||
| 96 | counter dns-tx {} | ||
| 97 | counter wg-tx {} | ||
| 98 | counter yggdrasil-gre-tx {} | ||
| 99 | counter http-tx {} | ||
| 100 | counter stun-tx {} | ||
| 101 | counter turn-tx {} | ||
| 102 | |||
| 103 | counter tx {} | ||
| 36 | 104 | ||
| 37 | chain forward { | 105 | chain forward { |
| 38 | type filter hook forward priority filter | 106 | type filter hook forward priority filter |
| 39 | policy drop | 107 | policy drop |
| 40 | 108 | ||
| 41 | 109 | ||
| 42 | ct state invalid log level debug prefix "drop invalid forward: " counter drop | 110 | ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop |
| 43 | 111 | ||
| 44 | 112 | ||
| 45 | iifname lo counter accept | 113 | iifname lo counter name fw-lo accept |
| 46 | 114 | ||
| 47 | meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} limit name lim_icmp counter drop | 115 | meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} limit name lim_icmp counter name icmp-ratelimit-vpn-fw drop |
| 48 | meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} counter accept | 116 | meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} counter name icmp-vpn-fw accept |
| 49 | meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop | 117 | meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter name icmp-ratelimit-established-fw drop |
| 50 | meta l4proto $icmp_protos ct state {established, related} counter accept | 118 | meta l4proto $icmp_protos ct state {established, related} counter name icmp-established-fw accept |
| 51 | meta l4proto $icmp_protos oifname bifrost limit name lim_icmp counter drop | 119 | meta l4proto $icmp_protos oifname bifrost limit name lim_icmp counter name icmp-ratelimit-inet-fw drop |
| 52 | meta l4proto $icmp_protos oifname bifrost counter accept | 120 | meta l4proto $icmp_protos oifname bifrost counter name icmp-inet-fw accept |
| 53 | 121 | ||
| 54 | 122 | ||
| 55 | oifname bifrost counter accept | 123 | oifname bifrost counter name fw-bifrost accept |
| 56 | iifname bifrost oifname ens3 counter accept | 124 | iifname bifrost oifname ens3 counter name fw-inet accept |
| 57 | 125 | ||
| 58 | 126 | ||
| 59 | limit name lim_reject log level debug prefix "drop forward: " counter drop | 127 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
| 60 | log level debug prefix "reject forward: " counter | 128 | log level debug prefix "reject forward: " counter name reject-fw |
| 61 | meta l4proto tcp ct state new counter reject with tcp reset | 129 | meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset |
| 62 | ct state new counter reject | 130 | ct state new counter name reject-icmp-fw reject |
| 63 | 131 | ||
| 64 | 132 | ||
| 65 | counter | 133 | counter name drop-fw |
| 66 | } | 134 | } |
| 67 | 135 | ||
| 68 | chain input { | 136 | chain input { |
| @@ -70,42 +138,42 @@ table inet filter { | |||
| 70 | policy drop | 138 | policy drop |
| 71 | 139 | ||
| 72 | 140 | ||
| 73 | ct state invalid log level debug prefix "drop invalid input: " counter drop | 141 | ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop |
| 74 | 142 | ||
| 75 | 143 | ||
| 76 | iifname lo counter accept | 144 | iifname lo counter name rx-lo accept |
| 77 | iif != lo ip daddr 127.0.0.1/8 counter reject | 145 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject |
| 78 | iif != lo ip6 daddr ::1/128 counter reject | 146 | iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject |
| 79 | 147 | ||
| 80 | meta l4proto $icmp_protos limit name lim_icmp counter drop | 148 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop |
| 81 | meta l4proto $icmp_protos counter accept | 149 | meta l4proto $icmp_protos counter name icmp-rx accept |
| 82 | 150 | ||
| 83 | tcp dport 22 counter accept | 151 | tcp dport 22 counter name ssh-rx accept |
| 84 | udp dport 60001-61000 counter accept | 152 | udp dport 60001-61000 counter name mosh-rx accept |
| 85 | 153 | ||
| 86 | meta protocol ip udp dport 51820 counter accept | 154 | meta protocol ip udp dport 51820 counter name wg-rx accept |
| 87 | meta protocol ip6 udp dport {51821, 51822} counter accept | 155 | meta protocol ip6 udp dport {51821, 51822} counter name wg-rx accept |
| 88 | iifname "yggdrasil-wg-*" meta l4proto gre counter accept | 156 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept |
| 89 | 157 | ||
| 90 | tcp dport 53 counter accept | 158 | tcp dport 53 counter name dns-rx accept |
| 91 | udp dport 53 counter accept | 159 | udp dport 53 counter name dns-rx accept |
| 92 | 160 | ||
| 93 | tcp dport {80, 443, 8448} counter accept | 161 | tcp dport {80, 443, 8448} counter name http-rx accept |
| 94 | 162 | ||
| 95 | tcp dport {3478, 5349} counter accept | 163 | tcp dport {3478, 5349} counter name stun-rx accept |
| 96 | udp dport {3478, 5349} counter accept | 164 | udp dport {3478, 5349} counter name stun-rx accept |
| 97 | udp dport 49000-50000 counter accept | 165 | udp dport 49000-50000 counter name turn-rx accept |
| 98 | 166 | ||
| 99 | ct state {established, related} counter accept | 167 | ct state {established, related} counter name established-rx accept |
| 100 | 168 | ||
| 101 | 169 | ||
| 102 | limit name lim_reject log level debug prefix "drop input: " counter drop | 170 | limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop |
| 103 | log level debug prefix "reject input: " counter | 171 | log level debug prefix "reject input: " counter name reject-rx |
| 104 | meta l4proto tcp ct state new counter reject with tcp reset | 172 | meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset |
| 105 | ct state new counter reject | 173 | ct state new counter name reject-icmp-rx reject |
| 106 | 174 | ||
| 107 | 175 | ||
| 108 | counter | 176 | counter name drop-rx |
| 109 | } | 177 | } |
| 110 | 178 | ||
| 111 | chain output { | 179 | chain output { |
| @@ -113,12 +181,29 @@ table inet filter { | |||
| 113 | policy accept | 181 | policy accept |
| 114 | 182 | ||
| 115 | 183 | ||
| 116 | oifname lo counter accept | 184 | oifname lo counter name tx-lo accept |
| 185 | |||
| 186 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop | ||
| 187 | meta l4proto $icmp_protos counter name icmp-tx accept | ||
| 188 | |||
| 189 | |||
| 190 | tcp sport 22 counter name ssh-tx | ||
| 191 | udp sport 60001-61000 counter name mosh-tx | ||
| 192 | |||
| 193 | tcp sport 53 counter name dns-tx | ||
| 194 | udp sport 53 counter name dns-tx | ||
| 195 | |||
| 196 | meta protocol ip udp sport 51820 counter name wg-tx | ||
| 197 | meta protocol ip6 udp sport {51821, 51822} counter name wg-tx | ||
| 198 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx | ||
| 199 | |||
| 200 | tcp sport {80,443,8448} counter name http-tx accept | ||
| 117 | 201 | ||
| 118 | meta l4proto $icmp_protos limit name lim_icmp counter drop | 202 | tcp sport {3478, 5349} counter name stun-tx accept |
| 119 | meta l4proto $icmp_protos counter accept | 203 | udp sport {3478, 5349} counter name stun-tx accept |
| 204 | udp sport 49000-50000 counter name turn-tx accept | ||
| 120 | 205 | ||
| 121 | 206 | ||
| 122 | counter | 207 | counter name tx |
| 123 | } | 208 | } |
| 124 | } \ No newline at end of file | 209 | } \ No newline at end of file |
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 4e8341e9..d956cb74 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -213,7 +213,7 @@ table inet filter { | |||
| 213 | udp sport 53 counter name dns-tx | 213 | udp sport 53 counter name dns-tx |
| 214 | 214 | ||
| 215 | meta protocol ip udp sport 51820 counter name wg-tx | 215 | meta protocol ip udp sport 51820 counter name wg-tx |
| 216 | meta protocol ip6 udp sport 51821 counter name wg-tx | 216 | meta protocol ip6 udp sport {51821,51822} counter name wg-tx |
| 217 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx | 217 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx |
| 218 | 218 | ||
| 219 | meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx | 219 | meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx |
| @@ -225,7 +225,7 @@ table inet filter { | |||
| 225 | udp sport { 137, 138, 3702 } counter name samba-tx accept | 225 | udp sport { 137, 138, 3702 } counter name samba-tx accept |
| 226 | tcp sport { 445, 139, 5357 } counter name samba-tx accept | 226 | tcp sport { 445, 139, 5357 } counter name samba-tx accept |
| 227 | 227 | ||
| 228 | tcp sport 80 counter name http-tx accept | 228 | tcp sport {80,443} counter name http-tx accept |
| 229 | 229 | ||
| 230 | udp sport 69 counter name tftp-tx accept | 230 | udp sport 69 counter name tftp-tx accept |
| 231 | udp dport 69 counter name tftp-tx accept | 231 | udp dport 69 counter name tftp-tx accept |