diff --git a/ic-os/rootfs/guestos/etc/sudoers b/ic-os/rootfs/guestos/etc/sudoers index d233db6d476..999b6d17cbf 100644 --- a/ic-os/rootfs/guestos/etc/sudoers +++ b/ic-os/rootfs/guestos/etc/sudoers @@ -29,6 +29,6 @@ root ALL=(ALL:ALL) NOPASSWD:ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) NOPASSWD:ALL -ic-replica ALL=(ALL:ALL) NOPASSWD: /opt/ic/bin/manageboot.sh, /opt/ic/bin/provision-ssh-keys.sh, /opt/ic/bin/read-ssh-keys.sh, /opt/ic/bin/guestos_tool +ic-replica ALL=(ALL:ALL) NOPASSWD: /opt/ic/bin/manageboot.sh, /opt/ic/bin/provision-ssh-keys.sh, /opt/ic/bin/read-ssh-keys.sh, /opt/ic/bin/guestos_tool, /usr/sbin/nft # See sudoers(5) for more information on "#include" directives: diff --git a/ic-os/rootfs/guestos/opt/ic/share/ic.json5.template b/ic-os/rootfs/guestos/opt/ic/share/ic.json5.template index bcad6c1b6fd..87fd9fb242e 100644 --- a/ic-os/rootfs/guestos/opt/ic/share/ic.json5.template +++ b/ic-os/rootfs/guestos/opt/ic/share/ic.json5.template @@ -378,10 +378,16 @@ table ip6 filter {\n\ size 65535\n\ flags dynamic\n\ }\n\ +\n\ + set blackhole {\n\ + type ipv4_addr\n\ + size 65535\n\ + }\n\ \n\ chain INPUT {\n\ type filter hook input priority 0; policy drop;\n\ iif lo accept\n\ + ip saddr @blackhole drop\n\ ct state new add @rate_limit { ip saddr limit rate over 2000/minute burst 1000 packets } log prefix \"Drop - rate limit: \" drop\n\ # Notes about the rule below:\n\ # - The rule allows a maximum of <> persistent connections to any ip address.\n\ @@ -423,10 +429,16 @@ table ip6 filter {\n\ size 65535\n\ flags dynamic\n\ }\n\ +\n\ + set blackhole6 {\n\ + type ipv6_addr\n\ + size 65535\n\ + }\n\ \n\ chain INPUT {\n\ type filter hook input priority 0; policy drop;\n\ iif lo accept\n\ + ip6 saddr @blackhole6 drop\n\ ct state new add @rate_limit { ip6 saddr limit rate over 2000/minute burst 1000 packets } log prefix \"Drop - rate limit: \" drop\n\ # Notes about the rule below:\n\ # - The rule allows a maximum of <> persistent connections to any ip6 address.\n\ diff --git a/rs/orchestrator/src/boundary_node.rs b/rs/orchestrator/src/boundary_node.rs index 43ef3a9a7d3..7131ace1f99 100644 --- a/rs/orchestrator/src/boundary_node.rs +++ b/rs/orchestrator/src/boundary_node.rs @@ -166,6 +166,12 @@ impl BoundaryNodeManager { format!("--local-store-path=/var/lib/ic/data/ic_registry_local_store"), format!("--log-journald"), format!("--metrics-addr=[::]:9324"), + format!("--bouncer-enable"), + format!("--bouncer-ratelimit=600"), + format!("--bouncer-burst-size=1200"), + format!("--bouncer-ban-seconds=300"), + format!("--bouncer-max-buckets=30000"), + format!("--bouncer-bucket-ttl=60"), ]; process diff --git a/rs/orchestrator/testdata/nftables_boundary_node.conf.golden b/rs/orchestrator/testdata/nftables_boundary_node.conf.golden index 93635978c6c..2e9f4af1c74 100644 --- a/rs/orchestrator/testdata/nftables_boundary_node.conf.golden +++ b/rs/orchestrator/testdata/nftables_boundary_node.conf.golden @@ -11,9 +11,15 @@ table filter { flags dynamic } + set blackhole { + type ipv4_addr + size 65535 + } + chain INPUT { type filter hook input priority 0; policy drop; iif lo accept + ip saddr @blackhole drop ct state new add @rate_limit { ip saddr limit rate over 2000/minute burst 1000 packets } log prefix "Drop - rate limit: " drop # Notes about the rule below: # - The rule allows a maximum of 400 persistent connections to any ip address. @@ -58,9 +64,15 @@ table ip6 filter { flags dynamic } + set blackhole6 { + type ipv6_addr + size 65535 + } + chain INPUT { type filter hook input priority 0; policy drop; iif lo accept + ip6 saddr @blackhole6 drop ct state new add @rate_limit { ip6 saddr limit rate over 2000/minute burst 1000 packets } log prefix "Drop - rate limit: " drop # Notes about the rule below: # - The rule allows a maximum of 400 persistent connections to any ip6 address.