Difference between revisions of "Simple ruleset for a workstation"
Jump to navigation
Jump to search
(use policy and more comments) |
|||
| Line 1: | Line 1: | ||
A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you). | |||
= fw.basic = | = fw.basic = | ||
| Line 6: | Line 8: | ||
table ip filter { | table ip filter { | ||
chain input { | chain input { | ||
type filter hook input priority 0; | type filter hook input priority 0; policy drop; | ||
# accept traffic originated from us | # accept traffic originated from us | ||
| Line 13: | Line 15: | ||
# accept any localhost traffic | # accept any localhost traffic | ||
iif lo accept | iif lo accept | ||
} | } | ||
} | } | ||
| Line 27: | Line 26: | ||
table ip6 filter { | table ip6 filter { | ||
chain input { | chain input { | ||
type filter hook input priority 0; | type filter hook input priority 0; policy drop; | ||
# accept any localhost traffic | # accept any localhost traffic | ||
| Line 37: | Line 36: | ||
# accept neighbour discovery otherwise connectivity breaks | # accept neighbour discovery otherwise connectivity breaks | ||
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept | icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept | ||
} | } | ||
} | } | ||
| Line 51: | Line 47: | ||
table inet filter { | table inet filter { | ||
chain input { | chain input { | ||
type filter hook input priority 0; | type filter hook input priority 0; policy drop; | ||
# accept any localhost traffic | # accept any localhost traffic | ||
| Line 62: | Line 58: | ||
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept | icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept | ||
} | } | ||
} | } | ||
</source> | </source> | ||
Revision as of 07:12, 11 August 2021
A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you).
fw.basic
For IPv4 only workstation.
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
# accept traffic originated from us
ct state established,related accept
# accept any localhost traffic
iif lo accept
}
}
fw6.basic
For IPv6 only workstation.
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
}
}
fw.inet.basic
For dual-stack IPv4/IPv6 workstation.
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise IPv6 connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
}
}