diff options
Diffstat (limited to 'hosts/surtr/ruleset.nft')
| -rw-r--r-- | hosts/surtr/ruleset.nft | 37 |
1 files changed, 27 insertions, 10 deletions
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index ee72614f..5c2bba7c 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft | |||
| @@ -86,6 +86,7 @@ table inet filter { | |||
| 86 | 86 | ||
| 87 | counter established-rx {} | 87 | counter established-rx {} |
| 88 | 88 | ||
| 89 | counter reject-mail-nologin {} | ||
| 89 | counter reject-ratelimit-rx {} | 90 | counter reject-ratelimit-rx {} |
| 90 | counter reject-rx {} | 91 | counter reject-rx {} |
| 91 | counter reject-tcp-rx {} | 92 | counter reject-tcp-rx {} |
| @@ -114,6 +115,17 @@ table inet filter { | |||
| 114 | 115 | ||
| 115 | counter tx {} | 116 | counter tx {} |
| 116 | 117 | ||
| 118 | set mail_nologin4 { | ||
| 119 | type ipv4_addr | ||
| 120 | flags interval | ||
| 121 | auto-merge | ||
| 122 | } | ||
| 123 | set mail_nologin6 { | ||
| 124 | type ipv6_addr | ||
| 125 | flags interval | ||
| 126 | auto-merge | ||
| 127 | } | ||
| 128 | |||
| 117 | chain forward { | 129 | chain forward { |
| 118 | type filter hook forward priority filter | 130 | type filter hook forward priority filter |
| 119 | policy drop | 131 | policy drop |
| @@ -145,6 +157,14 @@ table inet filter { | |||
| 145 | counter name drop-fw | 157 | counter name drop-fw |
| 146 | } | 158 | } |
| 147 | 159 | ||
| 160 | chain reject_input { | ||
| 161 | limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop | ||
| 162 | log level debug prefix "reject input: " counter name reject-rx | ||
| 163 | meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset | ||
| 164 | ct state new counter name reject-icmp-rx reject | ||
| 165 | |||
| 166 | counter name drop-rx | ||
| 167 | } | ||
| 148 | chain input { | 168 | chain input { |
| 149 | type filter hook input priority filter | 169 | type filter hook input priority filter |
| 150 | policy drop | 170 | policy drop |
| @@ -177,8 +197,11 @@ table inet filter { | |||
| 177 | udp dport {3478, 5349} counter name stun-rx accept | 197 | udp dport {3478, 5349} counter name stun-rx accept |
| 178 | udp dport 49000-50000 counter name turn-rx accept | 198 | udp dport 49000-50000 counter name turn-rx accept |
| 179 | 199 | ||
| 200 | tcp dport {465,466,993,4190} ip saddr @mail_nologin4 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input | ||
| 201 | tcp dport {465,466,993,4190} ip6 saddr @mail_nologin6 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input | ||
| 202 | |||
| 180 | tcp dport 25 counter name smtp-rx accept | 203 | tcp dport 25 counter name smtp-rx accept |
| 181 | tcp dport 465 counter name submissions-rx accept | 204 | tcp dport {465, 466} counter name submissions-rx accept |
| 182 | tcp dport 993 counter name imaps-rx accept | 205 | tcp dport 993 counter name imaps-rx accept |
| 183 | tcp dport 4190 counter name managesieve-rx accept | 206 | tcp dport 4190 counter name managesieve-rx accept |
| 184 | iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept | 207 | iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept |
| @@ -186,13 +209,7 @@ table inet filter { | |||
| 186 | ct state {established, related} counter name established-rx accept | 209 | ct state {established, related} counter name established-rx accept |
| 187 | 210 | ||
| 188 | 211 | ||
| 189 | limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop | 212 | jump reject_input |
| 190 | log level debug prefix "reject input: " counter name reject-rx | ||
| 191 | meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset | ||
| 192 | ct state new counter name reject-icmp-rx reject | ||
| 193 | |||
| 194 | |||
| 195 | counter name drop-rx | ||
| 196 | } | 213 | } |
| 197 | 214 | ||
| 198 | chain output { | 215 | chain output { |
| @@ -224,7 +241,7 @@ table inet filter { | |||
| 224 | udp sport 49000-50000 counter name turn-tx accept | 241 | udp sport 49000-50000 counter name turn-tx accept |
| 225 | 242 | ||
| 226 | tcp sport 25 counter name smtp-tx accept | 243 | tcp sport 25 counter name smtp-tx accept |
| 227 | tcp sport 465 counter name submissions-tx accept | 244 | tcp sport {465, 466} counter name submissions-tx accept |
| 228 | tcp sport 993 counter name imaps-tx accept | 245 | tcp sport 993 counter name imaps-tx accept |
| 229 | tcp sport 4190 counter name managesieve-tx accept | 246 | tcp sport 4190 counter name managesieve-tx accept |
| 230 | tcp sport 8432 counter name pgbackrest-tx accept | 247 | tcp sport 8432 counter name pgbackrest-tx accept |
| @@ -232,4 +249,4 @@ table inet filter { | |||
| 232 | 249 | ||
| 233 | counter name tx | 250 | counter name tx |
| 234 | } | 251 | } |
| 235 | } \ No newline at end of file | 252 | } |