GrapheneOS, 1 month ago to random

Due to frequent DDoS attacks, we're enforcing stricter limits on the number of connections to our servers. By default, each server enforces a limit of 16 or 32 TCP connections from each IPv4 address and IPv6 /64 block. During persistent attacks, these limits will be adjusted.

#netfilter #nftables #synproxy #ddos

kernellogger, 2 months ago to linux

Introduction to #Netfilter, from Mohith Thummaluru

https://blogs.oracle.com/linux/post/introduction-to-netfilter

"'"[…] a subsystem that was introduced in the #Linux 2.4 #kernel that provides a framework for implementing advanced network functionalities such as packet filtering, network address translation (NAT), and connection tracking. It achieves this by leveraging hooks in the kernel’s network code, which are the locations where kernel code can register functions to be invoked for specific network events. […]"'"

#LinuxKernel

kernellogger, 2 months ago to linux

Florian Westphal stepped down as #Linux' #netfilter maintainer

"'"I do not feel that I'm up to the task anymore.

I hope this to be a temporary emergency measure, but for now I'm sure this is the best course of action for me."'"

#Ugh 😟

https://git.kernel.org/torvalds/c/b5048d27872a9734d142540ea23c3e897e47e05c

#kernel #LinuxKernel

linuxmagazine, 9 months ago to foss

From Linux Update: Frank Hoffman shows you how nftables simplifies the process of creating and maintaining firewall rules https://www.linux-magazine.com/Issues/2023/270/nftables #firewall #nftables #iptables #FOSS #filter #packets #Linux #netfilter #OpenSource

LaF0rge, 1 year ago to linux

Really curious to see how CVS-223-32233 for #linux #netfilter nf_tables https://seclists.org/oss-sec/2023/q2/133 can be exploted fom "unprivileged local users". AFAICT, nf_tables_api goes through nfnetlink, and nfnetlink_rcv() checks for CAP_NET_ADMIN way before the code in nf_tables_api is hit. Disclaimer: I'm not involved with netfilter for >10 years now, so my knowledge might be rusty (no pun intended).