Difference between revisions of "Simple ruleset for a workstation"
Jump to navigation
Jump to search
(use policy and more comments) |
(Pages using deprecated source tags) |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you). | A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you). | ||
You can load this file with nft -f. | |||
= fw.basic = | = fw.basic = | ||
| Line 5: | Line 7: | ||
For IPv4 only workstation. | For IPv4 only workstation. | ||
< | <syntaxhighlight lang="bash"> | ||
flush ruleset | |||
table ip filter { | table ip filter { | ||
chain input { | chain input { | ||
| Line 17: | Line 21: | ||
} | } | ||
} | } | ||
</ | </syntaxhighlight> | ||
= fw6.basic = | = fw6.basic = | ||
| Line 23: | Line 27: | ||
For IPv6 only workstation. | For IPv6 only workstation. | ||
< | <syntaxhighlight lang="bash"> | ||
flush ruleset | |||
table ip6 filter { | table ip6 filter { | ||
chain input { | chain input { | ||
| Line 35: | Line 41: | ||
# accept neighbour discovery otherwise connectivity breaks | # accept neighbour discovery otherwise connectivity breaks | ||
icmpv6 type { nd-neighbor-solicit | icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept | ||
} | } | ||
} | } | ||
</ | </syntaxhighlight> | ||
= fw.inet.basic = | = fw.inet.basic = | ||
| Line 44: | Line 50: | ||
For dual-stack IPv4/IPv6 workstation. | For dual-stack IPv4/IPv6 workstation. | ||
< | <syntaxhighlight lang="bash"> | ||
flush ruleset | |||
table inet filter { | table inet filter { | ||
chain input { | chain input { | ||
| Line 56: | Line 64: | ||
# accept neighbour discovery otherwise IPv6 connectivity breaks | # accept neighbour discovery otherwise IPv6 connectivity breaks | ||
icmpv6 type { nd-neighbor-solicit | icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept | ||
} | } | ||
} | } | ||
</ | </syntaxhighlight> | ||
Latest revision as of 00:51, 9 December 2021
A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you).
You can load this file with nft -f.
fw.basic
For IPv4 only workstation.
flush ruleset
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
# accept traffic originated from us
ct state established,related accept
# accept any localhost traffic
iif lo accept
}
}
fw6.basic
For IPv6 only workstation.
flush ruleset
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
}
}
fw.inet.basic
For dual-stack IPv4/IPv6 workstation.
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise IPv6 connectivity breaks
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
}
}