[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] externals/nftables-mode f354d71598 13/41: break prologue (nee PRE
From: |
Stefan Monnier |
Subject: |
[elpa] externals/nftables-mode f354d71598 13/41: break prologue (nee PRELUDE) out of input |
Date: |
Mon, 23 May 2022 09:27:23 -0400 (EDT) |
branch: externals/nftables-mode
commit f354d71598d0c97d32c764b3cdea774911eea440
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>
break prologue (nee PRELUDE) out of input
---
nftables-router.nft | 68 +++++++++++++++++++++++++++++++++--------------------
1 file changed, 43 insertions(+), 25 deletions(-)
diff --git a/nftables-router.nft b/nftables-router.nft
index 842ee961b4..fb35c54ac2 100644
--- a/nftables-router.nft
+++ b/nftables-router.nft
@@ -94,24 +94,11 @@ flush ruleset
table inet my_filter {
+
chain my_input {
type filter hook input priority filter
policy drop
- # Typically 99%+ of packets are part of an already-established flow.
- # Allow those first, so we're a fast, stateful firewall.
- # After this only "ct state new" (or "ct state untracked") will remain.
- # FIXME: is a vmap here better (more efficient) than two separate
rules?
- # FIXME: {established or related: accept} does not match correctly!
- ct state vmap { established: accept, related: accept, invalid: drop }
-
- # Loopback traffic is needed for e.g. NFS RPC, and for debugging.
- # FIXME: is iiftype here better than iif/iifname?
- iiftype loopback accept
-
- # Allow *some* kinds of IPv4/ICMP and IPv6/ICMPv6.
- # FIXME: are "ip protocol icmp" and "ip6 nexthdr icmpv6" needed?
- ip protocol icmp icmp type vmap @ICMP_policy
- ip6 nexthdr icmpv6 icmpv6 type vmap @ICMPv6_RFC4890_policy
+ jump my_prologue comment "deal with boring
conntrack/loopback/ICMP/ICMPv6"
# YOUR RULES HERE.
# NOTE: service names resolve via nss (/etc/hosts) only in nft 0.9.1+!
@@ -125,23 +112,28 @@ table inet my_filter {
##FOR "router" EXAMPLE##iif enp11s0 tcp dport domain accept
##FOR "router" EXAMPLE##iif enp11s0 udp dport { domain, ntp, bootps }
accept
- # Finally, politely reject all other attempts.
- # Omit to use the default policy ("policy drop", above) instead.
- reject
+ jump my_epilogue
}
- # A host can't route unless you explicitly enable it, e.g.:
- #
- # sysctl net/ipv4/ip_forward=1
- # sysctl net/ipv6/conf/all/forwarding=1
- #
- # We create a "deny all" inet filter forward chain anyway, as
- # defense-in-depth against someone enabling routing ACCIDENTALLY.
+
chain my_forward {
type filter hook forward priority filter
policy drop
+ jump my_prologue comment "deal with boring
conntrack/loopback/ICMP/ICMPv6"
+
+ # YOUR RULES HERE.
+ # NOTE: service names resolve via nss (/etc/hosts) only in nft 0.9.1+!
+ # NOTE: a single rule CAN match "allow 53/tcp and 53/udp", but it's
UGLY, so we don't.
+ # NOTE: I assume you used systemd (networkd or udev) to rename
"enp0s0f0" to "lan".
+ tcp dport ssh accept
+ tcp dport { http, https } accept
+ iifname lan tcp dport domain accept
+ iifname lan udp dport { domain, ntp, bootps } accept
+
+ jump my_epilogue
}
+
# We want output to be "allow all", so we don't even create a chain.
#chain my_output {
# type filter hook output priority filter
@@ -149,6 +141,32 @@ table inet my_filter {
#}
+ chain my_prologue {
+ # Typically 99%+ of packets are part of an already-established flow.
+ # Allow those first, so we're a fast, stateful firewall.
+ # After this only "ct state new" (or "ct state untracked") will remain.
+ # FIXME: is a vmap here better (more efficient) than two separate
rules?
+ # FIXME: {established or related: accept} does not match correctly!
+ ct state vmap { established: accept, related: accept, invalid: drop }
+
+ # Loopback traffic is needed for e.g. NFS RPC, and for debugging.
+ # FIXME: is iiftype here better than iif/iifname?
+ iiftype loopback accept
+
+ # Allow *some* kinds of IPv4/ICMP and IPv6/ICMPv6.
+ # FIXME: are "ip protocol icmp" and "ip6 nexthdr icmpv6" needed?
+ ip protocol icmp icmp type vmap @ICMP_policy
+ ip6 nexthdr icmpv6 icmpv6 type vmap @ICMPv6_RFC4890_policy
+
+ }
+
+ chain my_epilogue {
+ # Finally, politely reject all other attempts.
+ # Omit to use the default policy ("policy drop", above) instead.
+ reject
+ }
+
+
# Allow all ICMPv6 is wrong (insecure);
# Deny all ICMPv6 is wrong (breaks IPv6).
# The following vmap merges RFC 4890 4.4 (for hosts) and 4.4 (for routers).
- [elpa] branch externals/nftables-mode created (now 05600129ee), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 103844fb41 07/41: move the ICMPv6 policy to a separate named map, so it's out of the way, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 8b6ccea869 18/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3e71d87a8c 23/41: Chuck out the stateless vmap example from the "simple version" firewall, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode bf11cb5fec 06/41: merge the RFC4890 input and forward vmaps into a single common vmap, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 78a1a48898 04/41: cannot reject as default policy, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7350707c88 12/41: forked from nftables-host.nft, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode b466c545f5 14/41: Example NAT rules (load OK, but haven't actually tested packets going through them), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode b2991ce112 05/41: Notes from RFC4890 (separate vmaps initially), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode f354d71598 13/41: break prologue (nee PRELUDE) out of input,
Stefan Monnier <=
- [elpa] externals/nftables-mode 35e908d774 03/41: just a backup copy in case I lose the original somewhere, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 14856f12c1 20/41: more notes, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 6fbf0a5557 01/41: Update iptab imports from twb's personal git repo., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/deny rules from alpha as an example, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode fb87ee1e07 24/41: Use stateful ICMP/ICMPv6 filtering by default (but leave the vmaps as documentation), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode d04e123fc3 29/41: fixup! reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 4974259919 30/41: typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3e9c8cf907 32/41: fixup! typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70910dbc2a 35/41: Merge remote-tracking branch 'KB/master', Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 109dfa382a 33/41: Remove "list ruleset" due to https://bugs.debian.org/982576, Stefan Monnier, 2022/05/23