:: [DNG] nft firewall
Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MM\ 
.MMSteve Litt at ->
Delete this message
Reply to this message
Author: Joel Roth
Date:  
To: dng
Subject: [DNG] nft firewall
We discussed firewalls in January, especially the new
nftables system.

I am interested to set up an nft firewall for my desktop.
I'd like to be able to access my home machine remotely
in case I don't have my laptop with me.

There are some useful snippets in /usr/share/doc/nftables/examples

Nothing complete, so I looked around at random and found this
firewall.

https://codeberg.org/jschwender/nft-firewall

It's a single script with some protection against
malicious packets.

Opening ports in the "incoming" chain for common protocols
didn't go as expected. I got 'connection refused' when
ssh'ing in. I changed the original: 

    tcp dport ssh ct state new,untracked meter flood-ipv4-ssh  { ip saddr timeout 10s limit rate over 10/second }  add @blacklist-v4 { ip saddr timeout 1m }


to 

    tcp dport { ssh, http, https } ct state new accept


This lacks the rate-limiting and blacklisting of the
original, but at least allows external access.

You activate it by `nft -f nft-firewall`.

Any feedback or suggestions will be welcome.



--
Joel Roth
This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] dual boot + encryptionRe: [DNG] dual boot + encryption->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)