summaryrefslogtreecommitdiff
path: root/hosts/surtr/ruleset.nft
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/ruleset.nft')
-rw-r--r--hosts/surtr/ruleset.nft31
1 files changed, 24 insertions, 7 deletions
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 14fc9b79..5c2bba7c 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -86,6 +86,7 @@ table inet filter {
86 86
87 counter established-rx {} 87 counter established-rx {}
88 88
89 counter reject-mail-nologin {}
89 counter reject-ratelimit-rx {} 90 counter reject-ratelimit-rx {}
90 counter reject-rx {} 91 counter reject-rx {}
91 counter reject-tcp-rx {} 92 counter reject-tcp-rx {}
@@ -114,6 +115,17 @@ table inet filter {
114 115
115 counter tx {} 116 counter tx {}
116 117
118 set mail_nologin4 {
119 type ipv4_addr
120 flags interval
121 auto-merge
122 }
123 set mail_nologin6 {
124 type ipv6_addr
125 flags interval
126 auto-merge
127 }
128
117 chain forward { 129 chain forward {
118 type filter hook forward priority filter 130 type filter hook forward priority filter
119 policy drop 131 policy drop
@@ -145,6 +157,14 @@ table inet filter {
145 counter name drop-fw 157 counter name drop-fw
146 } 158 }
147 159
160 chain reject_input {
161 limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
162 log level debug prefix "reject input: " counter name reject-rx
163 meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
164 ct state new counter name reject-icmp-rx reject
165
166 counter name drop-rx
167 }
148 chain input { 168 chain input {
149 type filter hook input priority filter 169 type filter hook input priority filter
150 policy drop 170 policy drop
@@ -177,6 +197,9 @@ table inet filter {
177 udp dport {3478, 5349} counter name stun-rx accept 197 udp dport {3478, 5349} counter name stun-rx accept
178 udp dport 49000-50000 counter name turn-rx accept 198 udp dport 49000-50000 counter name turn-rx accept
179 199
200 tcp dport {465,466,993,4190} ip saddr @mail_nologin4 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
201 tcp dport {465,466,993,4190} ip6 saddr @mail_nologin6 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
202
180 tcp dport 25 counter name smtp-rx accept 203 tcp dport 25 counter name smtp-rx accept
181 tcp dport {465, 466} counter name submissions-rx accept 204 tcp dport {465, 466} counter name submissions-rx accept
182 tcp dport 993 counter name imaps-rx accept 205 tcp dport 993 counter name imaps-rx accept
@@ -186,13 +209,7 @@ table inet filter {
186 ct state {established, related} counter name established-rx accept 209 ct state {established, related} counter name established-rx accept
187 210
188 211
189 limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop 212 jump reject_input
190 log level debug prefix "reject input: " counter name reject-rx
191 meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
192 ct state new counter name reject-icmp-rx reject
193
194
195 counter name drop-rx
196 } 213 }
197 214
198 chain output { 215 chain output {