:: Re: [DNG] nft firewall
Top Page
Delete this message
Reply to this message
Author: Joel Roth
Date:  
To: dng
Subject: Re: [DNG] nft firewall
On Wed, Nov 30, 2022 at 02:05:05PM -0500, Steve Litt wrote:
> Joel Roth via Dng said on Tue, 29 Nov 2022 14:36:28 -1000
>
> >We discussed firewalls in January, especially the new
> >nftables system.
> >
> >I am interested to set up an nft firewall for my desktop.
> >I'd like to be able to access my home machine remotely
> >in case I don't have my laptop with me.
> >
> >There are some useful snippets in /usr/share/doc/nftables/examples
> >
> >Nothing complete, so I looked around at random and found this
> >firewall.
> >
> >https://codeberg.org/jschwender/nft-firewall
>
> Unfortunately, nothing I found in your referenced material took care of
> the oft-used case of doing firewalling and routing at the same time.
> I'd like to find something like that.


I'm running openwrt on my router with firewall3. More recent
versions come with firewall4 providing a layer over nft. The config
files are quite easy to read. This is a partial listing from firewall3.

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'


config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'


config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'


config forwarding
        option src 'lan'
        option dest 'wan'


config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'


config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'


To build on devuan, you'd need several of the openwrt
libraries, including ubus and the utility uci.

I think at some level its necessary to get familiar with the
rulesets, at least input, output and forward chains. The
nft rule syntax is much simpler to write and read than iptables.

> Is it my imagination, or are these rulesets pretty much json files
> without the root level braces?


If you're willing to treat "type filter hook input priority filter + 1; policy"
as a string.



> Thanks,
>
> SteveT
>
> Steve Litt
> Autumn 2022 featured book: Thriving in Tough Times
> http://www.troubleshooters.com/bookstore/thrive.htm
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>


--
Joel Roth