From e1483ff2214541c2ad3f2f99770ed41544bb8721 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 31 Dec 2021 16:42:52 +0100
Subject: vidhar: ...

---
 hosts/vidhar/ruleset.nft | 159 -----------------------------------------------
 1 file changed, 159 deletions(-)
 delete mode 100644 hosts/vidhar/ruleset.nft

(limited to 'hosts/vidhar/ruleset.nft')

diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
deleted file mode 100644
index 57ac2716..00000000
--- a/hosts/vidhar/ruleset.nft
+++ /dev/null
@@ -1,159 +0,0 @@
-define icmp_protos = { ipv6-icmp, icmp, igmp }
-
-table arp filter {
-  limit lim_arp_local {
-    rate over 50 mbytes/second burst 50 mbytes
-  }
-  limit lim_arp_dsl {
-    rate over 1400 kbytes/second burst 1400 kbytes
-  }
-
-  chain input {
-    type filter hook input priority filter
-    policy accept
-
-    iifname != dsl limit name lim_arp_local counter drop
-    iifname dsl limit name lim_arp_dsl counter drop
-
-    counter
-  }
-
-  chain output {
-    type filter hook output priority filter
-    policy accept
-
-    oifname != dsl limit name lim_arp_local counter drop
-    oifname dsl limit name lim_arp_dsl counter drop
-
-    counter
-  }
-}
-
-table inet filter {
-  limit lim_reject {
-    rate over 1000/second burst 1000 packets
-  }
-
-  limit lim_icmp_local {
-    rate over 50 mbytes/second burst 50 mbytes
-  }
-  limit lim_icmp_dsl {
-    rate over 1400 kbytes/second burst 1400 kbytes
-  }
-
-
-  chain forward_icmp_accept {
-    oifname dsl limit name lim_icmp_dsl counter drop
-    iifname dsl limit name lim_icmp_dsl counter drop
-    oifname != dsl limit name lim_icmp_local counter drop
-    iifname != dsl limit name lim_icmp_local counter drop
-    counter accept
-  }
-  chain forward {
-    type filter hook forward priority filter
-    policy drop
-
-
-    ct state invalid log prefix "drop invalid forward: " counter drop
-
-
-    iifname lo counter accept
-
-    oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
-
-    iifname lan oifname dsl counter accept
-    iifname dsl oifname lan ct state {established, related} counter accept
-
-
-
-    limit name lim_reject log prefix "drop forward: " counter drop
-    log prefix "reject forward: " counter
-    meta l4proto tcp ct state new counter reject with tcp reset
-    ct state new counter reject
-
-
-    counter
-  }
-
-  chain input {
-    type filter hook input priority filter
-    policy drop
-
-
-    ct state invalid log prefix "drop invalid input: " counter drop
-    
-
-    iifname lo counter accept
-    iif != lo ip daddr 127.0.0.1/8 counter reject
-    iif != lo ip6 daddr ::1/128 counter reject
-
-    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
-    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
-    meta l4proto $icmp_protos counter accept
-
-    tcp dport 22 counter accept
-    udp dport 60001-61000 counter accept
-
-    iifname lan tcp dport 53 counter accept
-    iifname lan udp dport 53 counter accept
-
-    meta protocol ip udp dport 51820 counter accept
-    meta protocol ip6 udp dport 51821 counter accept
-    iifname "yggdrasil-wg-*" meta l4proto gre counter accept
-
-    iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept
-
-    iifname mgmt udp dport 123 counter accept
-
-    iifname {lan, mgmt} udp dport 67 counter accept
-
-    iifname lan udp dport { 137, 138, 3702 } counter accept
-    iifname lan tcp dport { 445, 139, 5357 } counter accept
-
-    ct state {established, related} counter accept
-
-
-    limit name lim_reject log prefix "drop input: " counter drop
-    log prefix "reject input: " counter
-    meta l4proto tcp ct state new counter reject with tcp reset
-    ct state new counter reject
-
-
-    counter
-  }
-
-  chain output {
-    type filter hook output priority filter
-    policy accept
-
-
-    oifname lo counter accept
-
-    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
-    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
-    meta l4proto $icmp_protos counter accept
-
-
-    counter
-  }
-}
-
-table ip nat {
-  chain postrouting {
-    type nat hook postrouting priority srcnat
-    policy accept
-
-
-    oifname dsl counter masquerade
-  }
-}
-
-table ip mss_clamp {
-  chain postrouting {
-    type filter hook postrouting priority mangle
-    policy accept
-
-
-    oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
-  }
-}
\ No newline at end of file
-- 
cgit v1.2.3