:: [DNG] nft firewall
Top Page
Delete this message
Reply to this message
Author: Joel Roth
Date:  
To: dng
Subject: [DNG] nft firewall
We discussed firewalls in January, especially the new
nftables system.

I am interested to set up an nft firewall for my desktop.
I'd like to be able to access my home machine remotely
in case I don't have my laptop with me.

There are some useful snippets in /usr/share/doc/nftables/examples

Nothing complete, so I looked around at random and found this
firewall.

https://codeberg.org/jschwender/nft-firewall

It's a single script with some protection against
malicious packets.

Opening ports in the "incoming" chain for common protocols
didn't go as expected. I got 'connection refused' when
ssh'ing in. I changed the original:

    tcp dport ssh ct state new,untracked meter flood-ipv4-ssh  { ip saddr timeout 10s limit rate over 10/second }  add @blacklist-v4 { ip saddr timeout 1m }


to

    tcp dport { ssh, http, https } ct state new accept


This lacks the rate-limiting and blacklisting of the
original, but at least allows external access.

You activate it by `nft -f nft-firewall`.

Any feedback or suggestions will be welcome.



--
Joel Roth