We discussed firewalls in January, especially the new
nftables system.
I am interested to set up an nft firewall for my desktop.
I'd like to be able to access my home machine remotely
in case I don't have my laptop with me.
There are some useful snippets in /usr/share/doc/nftables/examples
Nothing complete, so I looked around at random and found this
firewall.
https://codeberg.org/jschwender/nft-firewall
It's a single script with some protection against
malicious packets.
Opening ports in the "incoming" chain for common protocols
didn't go as expected. I got 'connection refused' when
ssh'ing in. I changed the original:
tcp dport ssh ct state new,untracked meter flood-ipv4-ssh { ip saddr timeout 10s limit rate over 10/second } add @blacklist-v4 { ip saddr timeout 1m }
to
tcp dport { ssh, http, https } ct state new accept
This lacks the rate-limiting and blacklisting of the
original, but at least allows external access.
You activate it by `nft -f nft-firewall`.
Any feedback or suggestions will be welcome.
--
Joel Roth