From 42984e77041cfc95d333319bef0b2d8f441f56d3 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 2 Nov 2022 00:11:28 +0100
Subject: =?UTF-8?q?eos=20=E2=86=92=20eostre?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 hosts/eostre/ruleset.nft | 101 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 hosts/eostre/ruleset.nft

(limited to 'hosts/eostre/ruleset.nft')

diff --git a/hosts/eostre/ruleset.nft b/hosts/eostre/ruleset.nft
new file mode 100644
index 00000000..7b38a059
--- /dev/null
+++ b/hosts/eostre/ruleset.nft
@@ -0,0 +1,101 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy accept
+
+    limit name lim_arp counter drop
+
+    counter
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+    limit name lim_arp counter drop
+
+    counter
+  }
+}
+
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "drop invalid forward: " counter drop
+
+
+    iifname lo counter accept
+
+
+    limit name lim_reject log level debug prefix "drop forward: " counter drop
+    log level debug prefix "reject forward: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+
+
+    counter
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "drop invalid input: " counter drop
+
+
+    iifname lo counter accept
+    iif != lo ip daddr 127.0.0.1/8 counter reject
+    iif != lo ip6 daddr ::1/128 counter reject
+
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+
+    tcp dport 22 counter accept
+    udp dport 60000-61000 counter accept
+
+
+    ct state {established, related} counter accept
+
+
+    limit name lim_reject log level debug prefix "drop input: " counter drop
+    log level debug prefix "reject input: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+
+
+    counter
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+
+    oifname lo counter accept
+
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+
+
+    counter
+  }
+}
\ No newline at end of file
-- 
cgit v1.2.3