X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/84b5aa673d3d29cbf124c93abaa4c6995b9c1ea5..3ee5c4d242a98a13d89a02ba7998610a20969e0c:/cookbooks/networking/templates/default/nftables.conf.erb?ds=inline diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb index cc3cd8f7f..05984ac3e 100644 --- a/cookbooks/networking/templates/default/nftables.conf.erb +++ b/cookbooks/networking/templates/default/nftables.conf.erb @@ -4,8 +4,10 @@ define external-interfaces = { <%= @interfaces.sort.uniq.join(", ") %> } <%- end %> -define ip-private-addresses = { 0.0.0.0, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/4 } -define ip6-private-addresses = { 2001:db8::/32, fc00::/7, ff00::/8 } +define ip-private-addresses = { 0.0.0.0, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16 } +define ip-multicast-addresses = { 224.0.0.0/4 } +define ip6-private-addresses = { 2001:db8::/32, fc00::/7 } +define ip6-multicast-addresses = { ff00::/8 } table inet chef-filter { set ip-osm-addresses { @@ -77,18 +79,15 @@ table inet chef-filter { chain incoming { <%- if node[:networking][:firewall][:allowlist].empty? %> - ip saddr { $ip-private-addresses } jump log-and-drop + ip saddr { $ip-private-addresses, $ip-multicast-addresses } jump log-and-drop <%- else %> - ip saddr { $ip-private-addresses } ip saddr != { <%= node[:networking][:firewall][:allowlist].sort.join(", ") %> } jump log-and-drop + ip saddr { $ip-private-addresses, $ip-multicast-addresses } ip saddr != { <%= node[:networking][:firewall][:allowlist].sort.join(", ") %> } jump log-and-drop <%- end %> - ip6 saddr { $ip6-private-addresses } jump log-and-drop + ip6 saddr { $ip6-private-addresses, $ip6-multicast-addresses } jump log-and-drop ip saddr @ip-blocklist jump log-and-drop ip6 saddr @ip6-blocklist jump log-and-drop - ct state { established, related } accept - - icmp type { destination-unreachable } accept icmp type { echo-request } update @ratelimit-icmp-echo-ip { ip saddr limit rate 1/second } accept icmp type { echo-request } drop @@ -96,6 +95,8 @@ table inet chef-filter { icmpv6 type { echo-request } update @ratelimit-icmp-echo-ip6 { ip6 saddr limit rate 1/second } accept icmpv6 type { echo-request } drop + ct state { established, related } accept + meta l4proto { icmp, icmpv6 } jump log-and-drop tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg jump log-and-drop