mirror of
https://github.com/zulip/zulip.git
synced 2025-11-23 07:52:35 +00:00
3bf047beb8
Under heavy request load, it is possible for the conntrack kernel table to fill up (by default, 256k connections). This leads to DNS requests failing because they cannot make a new conntrack entry. Allow all port-53 UDP traffic in and out without connection tracking. This means that unbound port-53 traffic is no longer filtered out by the on-host firewall -- but it is already filtered out at the border firewall, so this does not change the external network posture. `systemd-resolve` also only binds to 127.0.0.53 on the loopback interface, so there is no server to attack on inbound port 53.
31 lines
962 B
Plaintext
31 lines
962 B
Plaintext
# This file was auto-generated by Puppet. Do not edit by hand.
|
|
|
|
# The raw table is used to disable connection tracking for DNS
|
|
# traffic, so it works even when the conntrack table fills.
|
|
*raw
|
|
:PREROUTING ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
-A PREROUTING -p udp -m udp --dport 53 -j CT --notrack
|
|
-A PREROUTING -p udp -m udp --sport 53 -j CT --notrack
|
|
-A OUTPUT -p udp -m udp --dport 53 -j CT --notrack
|
|
-A OUTPUT -p udp -m udp --sport 53 -j CT --notrack
|
|
COMMIT
|
|
|
|
|
|
*filter
|
|
# Allow all outbound traffic
|
|
-A OUTPUT -j ACCEPT
|
|
|
|
# Accept all loopback traffic
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
# Drop all traffic to loopback IPs on other interfaces
|
|
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
|
|
|
|
# Accept incoming traffic related to established connections, or the
|
|
# untracked port-53-UDP set up above. See iptables-extensions(8) for
|
|
# the --state flag. This drops INVALID and NEW states.
|
|
-A INPUT -m state --state ESTABLISHED,RELATED,UNTRACKED -j ACCEPT
|
|
|
|
# Host-specific rules follow:
|