define icmp_protos = {ipv6-icmp, icmp, igmp} table arp filter { limit lim_arp { rate over 50 mbytes/second burst 50 mbytes } counter arp-rx {} counter arp-tx {} counter arp-ratelimit-rx {} counter arp-ratelimit-tx {} chain input { type filter hook input priority filter policy accept limit name lim_arp counter name arp-ratelimit-rx drop counter name arp-rx } chain output { type filter hook output priority filter policy accept limit name lim_arp counter name arp-ratelimit-tx drop counter name arp-tx } } table inet filter { limit lim_reject { rate over 1000/second burst 1000 packets } limit lim_icmp { rate over 50 mbytes/second burst 50 mbytes } counter invalid-fw {} counter fw-lo {} counter fw-bifrost {} counter fw-inet {} counter icmp-ratelimit-vpn-fw {} counter icmp-ratelimit-established-fw {} counter icmp-ratelimit-inet-fw {} counter icmp-vpn-fw {} counter icmp-established-fw {} counter icmp-inet-fw {} counter reject-ratelimit-fw {} counter reject-fw {} counter reject-tcp-fw {} counter reject-icmp-fw {} counter drop-fw {} counter invalid-rx {} counter rx-lo {} counter invalid-local4-rx {} counter invalid-local6-rx {} counter icmp-ratelimit-rx {} counter icmp-rx {} counter ssh-rx {} counter mosh-rx {} counter wg-rx {} counter yggdrasil-gre-rx {} counter dns-rx {} counter http-rx {} counter stun-rx {} counter turn-rx {} counter smtp-rx {} counter submissions-rx {} counter imaps-rx {} counter managesieve-rx {} counter pgbackrest-rx {} counter established-rx {} counter reject-ratelimit-rx {} counter reject-rx {} counter reject-tcp-rx {} counter reject-icmp-rx {} counter drop-rx {} counter tx-lo {} counter icmp-ratelimit-tx {} counter icmp-tx {} counter ssh-tx {} counter mosh-tx {} counter dns-tx {} counter wg-tx {} counter yggdrasil-gre-tx {} counter http-tx {} counter stun-tx {} counter turn-tx {} counter smtp-tx {} counter submissions-tx {} counter imaps-tx {} counter managesieve-tx {} counter pgbackrest-tx {} counter tx {} chain forward { type filter hook forward priority filter policy drop ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop iifname lo counter name fw-lo accept meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} limit name lim_icmp counter name icmp-ratelimit-vpn-fw drop meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} counter name icmp-vpn-fw accept meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter name icmp-ratelimit-established-fw drop meta l4proto $icmp_protos ct state {established, related} counter name icmp-established-fw accept meta l4proto $icmp_protos oifname bifrost limit name lim_icmp counter name icmp-ratelimit-inet-fw drop meta l4proto $icmp_protos oifname bifrost counter name icmp-inet-fw accept oifname bifrost counter name fw-bifrost accept iifname bifrost oifname ens3 counter name fw-inet accept limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop log level debug prefix "reject forward: " counter name reject-fw meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset ct state new counter name reject-icmp-fw reject counter name drop-fw } chain input { type filter hook input priority filter policy drop ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop iifname lo counter name rx-lo accept iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop meta l4proto $icmp_protos counter name icmp-rx accept tcp dport 22 counter name ssh-rx accept udp dport 60000-61000 counter name mosh-rx accept meta protocol ip udp dport 51820 counter name wg-rx accept meta protocol ip6 udp dport {51821, 51822} counter name wg-rx accept iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept tcp dport 53 counter name dns-rx accept udp dport 53 counter name dns-rx accept tcp dport {80, 443, 8448} counter name http-rx accept udp dport {443, 8448} counter name http-rx accept tcp dport {3478, 5349} counter name stun-rx accept udp dport {3478, 5349} counter name stun-rx accept udp dport 49000-50000 counter name turn-rx accept tcp dport 25 counter name smtp-rx accept tcp dport 465 counter name submissions-rx accept tcp dport 993 counter name imaps-rx accept tcp dport 4190 counter name managesieve-rx accept iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept ct state {established, related} counter name established-rx accept limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop log level debug prefix "reject input: " counter name reject-rx meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset ct state new counter name reject-icmp-rx reject counter name drop-rx } chain output { type filter hook output priority filter policy accept oifname lo counter name tx-lo accept meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop meta l4proto $icmp_protos counter name icmp-tx accept tcp sport 22 counter name ssh-tx udp sport 60000-61000 counter name mosh-tx tcp sport 53 counter name dns-tx udp sport 53 counter name dns-tx meta protocol ip udp sport 51820 counter name wg-tx meta protocol ip6 udp sport {51821, 51822} counter name wg-tx iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx tcp sport {80, 443, 8448} counter name http-tx accept udp sport {443, 8448} counter name http-tx accept tcp sport {3478, 5349} counter name stun-tx accept udp sport {3478, 5349} counter name stun-tx accept udp sport 49000-50000 counter name turn-tx accept tcp sport 25 counter name smtp-tx accept tcp sport 465 counter name submissions-tx accept tcp sport 993 counter name imaps-tx accept tcp sport 4190 counter name managesieve-tx accept tcp sport 8432 counter name pgbackrest-tx accept counter name tx } }