From ca072da5df2f40b4fd652266bf14590bbf661857 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 9 Dec 2021 09:29:19 +0100 Subject: vidhar: nftables... --- hosts/vidhar/ruleset.nft | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) (limited to 'hosts/vidhar') diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index f0ea3d24..5a6d2c4e 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft @@ -1,6 +1,13 @@ table inet filter { limit lim_reject { - rate over 1000 / second burst 1000 packets + rate over 1000/second burst 1000 packets + } + + limit lim_icmp_local { + rate 10 mbytes/second burst 10 mbytes + } + limit lim_icmp_dsl { + rate 1 mbytes/second burst 1 mbytes } @@ -12,12 +19,13 @@ table inet filter { ct state invalid log prefix "drop invalid forward: " counter drop + iifname lo counter accept + iifname eno1 oifname dsl counter accept iifname dsl oifname eno1 ct state {established, related} counter accept - meta l4proto ipv6-icmp counter accept - meta l4proto icmp counter accept - meta l4proto igmp counter accept + oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local accept + oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl accept limit name lim_reject log prefix "drop forward: " counter drop @@ -47,11 +55,10 @@ table inet filter { meta protocol ip udp dport 51820 counter accept udp dport 60000-61000 counter accept - iifname "dsl" meta protocol ip6 udp dport 546 udp sport 547 counter accept + iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept - meta l4proto ipv6-icmp counter accept - meta l4proto icmp counter accept - meta l4proto igmp counter accept + iifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept + iifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept limit name lim_reject log prefix "drop input: " counter drop -- cgit v1.2.3