:: Re: [DNG] nft firewall
Top Page
Delete this message
Reply to this message
Author: Charles Bridges
Date:  
To: dng
Subject: Re: [DNG] nft firewall
Joel,
Have you looked at tailscale?
It traverses the firewalls and nat tables without the complication of
firewall rules.
It is your own private network only accessible by the computers you
authorize.
I use it for the same purposes you describe with no issues.
Works great.

Charles


On Tue, 2022-11-29 at 14:36 -1000, Joel Roth via Dng wrote:
> We discussed firewalls in January, especially the new
> nftables system.
>
> I am interested to set up an nft firewall for my desktop.
> I'd like to be able to access my home machine remotely
> in case I don't have my laptop with me.
>
> There are some useful snippets in /usr/share/doc/nftables/examples
>
> Nothing complete, so I looked around at random and found this
> firewall.
>
> https://codeberg.org/jschwender/nft-firewall
>
> It's a single script with some protection against
> malicious packets.
>
> Opening ports in the "incoming" chain for common protocols
> didn't go as expected. I got 'connection refused' when
> ssh'ing in. I changed the original:
>
>     tcp dport ssh ct state new,untracked meter flood-ipv4-ssh  { ip
> saddr timeout 10s limit rate over 10/second }  add @blacklist-v4 { ip
> saddr timeout 1m }
>
> to
>
>     tcp dport { ssh, http, https } ct state new accept
>
> This lacks the rate-limiting and blacklisting of the
> original, but at least allows external access.
>
> You activate it by `nft -f nft-firewall`.
>
> Any feedback or suggestions will be welcome.
>
>
>
> --
> Joel Roth
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng