ssh ciphers and various options

postconfig.sh

@@ -12,5 +12,3 @@ ipset restore < /config/hphr.ipset
 
 iptables-restore /config/hphr.rules.v4
 ip6tables-restore /config/hphr.rules.v6
-echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
-echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

vyos.conf.j2

@@ -741,7 +741,9 @@ policy {
             }
             action permit
             set {
-                ipv6-next-hop {{ salt['pillar.get']('protocols:static:blackhole:IPv6') }}
+                ipv6-next-hop {
+                    global {{ salt['pillar.get']('protocols:static:blackhole:IPv6') }}
+                }
             }
         }
     }
@@ -838,6 +840,9 @@ service {
     }
     ssh {
         listen-address {{ pillar['service']['ssh']['listen-address'] }}
+        ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+        key-exchange curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+        mac hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
     }
 }
 
@@ -889,6 +894,21 @@ system {
 {% endfor %}
     }
 
+    options {
+        ctrl-alt-del-action ignore
+        reboot-on-panic true
+        beep-if-fully-booted
+    }
+
+    sysctl {
+        all net.ipv4.conf.all.rp_filter {
+            value 2
+        }
+        all net.ipv4.conf.default.rp_filter {
+            value 2
+        }
+    }
+
     syslog {
         global {
             facility all {