| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 |
- # https://wiki.archlinux.org/index.php/Nftables#Usage
- # A simple and safe firewall
- flush ruleset
- table inet filter {
- chain input {
- type filter hook input priority 0; policy drop;
- iifname lo accept comment "Accept any localhost traffic"
- ct state invalid drop comment "drop invalid connections"
- ct state established,related accept comment "Accept traffic originated from us"
- # allow icmp, which is commonly used to see how long it takes packets to get somewhere
- # It helps people debug web applications
- ip protocol icmp icmp type { \
- destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem \
- } accept comment "Accept ICMP"
- ip6 nexthdr icmpv6 drop
- # IGMP is a protocol that help online gaming and video chat work better
- ip protocol igmp accept comment "Accept IGMP"
- udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
- udp sport 1900 udp dport >= 1024 ip saddr { \
- 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 \
- } meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
- # No ping floods
- ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
- # allow ssh
- # can I disable this? I am not going to be ssh-ing into this laptop anytime soon.
- # tcp dport ssh accept
- # reject everything else
- reject with icmpx type port-unreachable
- }
- # this is a laptop. I do not forward stuff.
- chain forward {
- type filter hook forward priority 0; policy drop;
- }
- # I should probably work on this....I should only really enable certain outbound connections.
- chain output {
- type filter hook output priority 0; policy accept;
- }
- }
|
