From 329de92b6e00f1af9925f56a4fc6da14087802e5 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 25 May 2024 20:37:25 +0200 Subject: tkleen --- hosts/surtr/ruleset.nft | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'hosts/surtr/ruleset.nft') diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index ee72614f..14fc9b79 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft @@ -178,7 +178,7 @@ table inet filter { udp dport 49000-50000 counter name turn-rx accept tcp dport 25 counter name smtp-rx accept - tcp dport 465 counter name submissions-rx accept + tcp dport {465, 466} counter name submissions-rx accept tcp dport 993 counter name imaps-rx accept tcp dport 4190 counter name managesieve-rx accept iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept @@ -224,7 +224,7 @@ table inet filter { udp sport 49000-50000 counter name turn-tx accept tcp sport 25 counter name smtp-tx accept - tcp sport 465 counter name submissions-tx accept + tcp sport {465, 466} counter name submissions-tx accept tcp sport 993 counter name imaps-tx accept tcp sport 4190 counter name managesieve-tx accept tcp sport 8432 counter name pgbackrest-tx accept @@ -232,4 +232,4 @@ table inet filter { counter name tx } -} \ No newline at end of file +} -- cgit v1.2.3 From c2a1e00b26b7e65305a36aa817a311ecbd2d831c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 11 Jun 2024 10:05:16 +0200 Subject: email nologin by as-set --- hosts/surtr/ruleset.nft | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) (limited to 'hosts/surtr/ruleset.nft') diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 14fc9b79..5c2bba7c 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft @@ -86,6 +86,7 @@ table inet filter { counter established-rx {} + counter reject-mail-nologin {} counter reject-ratelimit-rx {} counter reject-rx {} counter reject-tcp-rx {} @@ -114,6 +115,17 @@ table inet filter { counter tx {} + set mail_nologin4 { + type ipv4_addr + flags interval + auto-merge + } + set mail_nologin6 { + type ipv6_addr + flags interval + auto-merge + } + chain forward { type filter hook forward priority filter policy drop @@ -145,6 +157,14 @@ table inet filter { counter name drop-fw } + chain reject_input { + limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop + log level debug prefix "reject input: " counter name reject-rx + meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset + ct state new counter name reject-icmp-rx reject + + counter name drop-rx + } chain input { type filter hook input priority filter policy drop @@ -177,6 +197,9 @@ table inet filter { udp dport {3478, 5349} counter name stun-rx accept udp dport 49000-50000 counter name turn-rx accept + tcp dport {465,466,993,4190} ip saddr @mail_nologin4 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input + tcp dport {465,466,993,4190} ip6 saddr @mail_nologin6 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input + tcp dport 25 counter name smtp-rx accept tcp dport {465, 466} counter name submissions-rx accept tcp dport 993 counter name imaps-rx accept @@ -186,13 +209,7 @@ table inet filter { ct state {established, related} counter name established-rx accept - limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop - log level debug prefix "reject input: " counter name reject-rx - meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset - ct state new counter name reject-icmp-rx reject - - - counter name drop-rx + jump reject_input } chain output { -- cgit v1.2.3