Simple ruleset for a workstation: Difference between revisions
Jump to navigation
Jump to search
(→fw.inet.basic: clarify dual stack) |
(Pages using deprecated source tags) |
||
(7 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you). | |||
You can load this file with nft -f. | |||
= fw.basic = | = fw.basic = | ||
< | For IPv4 only workstation. | ||
<syntaxhighlight lang="bash"> | |||
flush ruleset | |||
table ip filter { | table ip filter { | ||
chain input { | chain input { | ||
type filter hook input priority 0; | type filter hook input priority 0; policy drop; | ||
# accept traffic originated from us | # accept traffic originated from us | ||
Line 11: | Line 19: | ||
# accept any localhost traffic | # accept any localhost traffic | ||
iif lo accept | iif lo accept | ||
} | } | ||
} | } | ||
</ | </syntaxhighlight> | ||
= fw6.basic = | = fw6.basic = | ||
< | For IPv6 only workstation. | ||
<syntaxhighlight lang="bash"> | |||
flush ruleset | |||
table ip6 filter { | table ip6 filter { | ||
chain input { | chain input { | ||
type filter hook input priority 0; | type filter hook input priority 0; policy drop; | ||
# accept any localhost traffic | # accept any localhost traffic | ||
Line 32: | Line 41: | ||
# accept neighbour discovery otherwise connectivity breaks | # accept neighbour discovery otherwise connectivity breaks | ||
icmpv6 type { nd-neighbor-solicit | icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept | ||
} | } | ||
} | } | ||
</ | </syntaxhighlight> | ||
= fw.inet.basic = | = fw.inet.basic = | ||
For dual-stack IPv4/IPv6 workstation. | |||
<syntaxhighlight lang="bash"> | |||
flush ruleset | |||
table inet filter { | table inet filter { | ||
chain input { | chain input { | ||
type filter hook input priority 0; | type filter hook input priority 0; policy drop; | ||
# accept any localhost traffic | # accept any localhost traffic | ||
Line 56: | Line 63: | ||
ct state established,related accept | ct state established,related accept | ||
# accept neighbour discovery otherwise connectivity breaks | # accept neighbour discovery otherwise IPv6 connectivity breaks | ||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept | |||
} | } | ||
} | } | ||
</ | </syntaxhighlight> |
Latest revision as of 23:51, 8 December 2021
A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you).
You can load this file with nft -f.
fw.basic
For IPv4 only workstation.
flush ruleset
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
# accept traffic originated from us
ct state established,related accept
# accept any localhost traffic
iif lo accept
}
}
fw6.basic
For IPv6 only workstation.
flush ruleset
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
}
}
fw.inet.basic
For dual-stack IPv4/IPv6 workstation.
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise IPv6 connectivity breaks
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
}
}