aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Jirutka <jakub@jirutka.cz>2020-01-04 16:54:15 +0100
committerJakub Jirutka <jakub@jirutka.cz>2020-01-04 17:21:42 +0100
commit12bb17de3742c8c60d2802aaf4a7469fd1d74aea (patch)
tree92c66d1c95d27799cb58359fa0a28fc87e5d0fbf
parentdab236940f129a48042019da078f305e7ed1a7c4 (diff)
downloadaports-12bb17de3742c8c60d2802aaf4a7469fd1d74aea.tar.bz2
aports-12bb17de3742c8c60d2802aaf4a7469fd1d74aea.tar.xz
main/nftables: add default ruleset /etc/nftables.nft
-rw-r--r--main/nftables/APKBUILD5
-rw-r--r--main/nftables/nftables.nft78
2 files changed, 82 insertions, 1 deletions
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index 7d886692e5..3e1b803663 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -25,6 +25,7 @@ subpackages="$pkgname-doc"
source="https://netfilter.org/projects/nftables/files/$pkgname-$pkgver.tar.bz2
nftables.confd
nftables.initd
+ nftables.nft
"
builddir="$srcdir/$pkgname-$pkgver"
@@ -51,8 +52,10 @@ package() {
install -Dm755 "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname
install -Dm644 "$srcdir"/$pkgname.confd "$pkgdir"/etc/conf.d/$pkgname
+ install -Dm644 "$srcdir"/nftables.nft "$pkgdir"/etc/nftables.nft
}
sha512sums="d264f6fc75c95510e29fe7d5b82ae418d502f40437b098ba6117ffb1374d9989d70a7296e2e58c5fb25142145a987bb9c160902637899f892589809f9541db43 nftables-0.9.3.tar.bz2
4eb1adf003dfcaad65c91af6ca88d91b7904c471aefae67e7d3c2f8e053e1ac196d3437a45d1fed5a855b876a0f1fc58a724e381d2acf1164d9120cadee73eef nftables.confd
-58daafb012b7cd0248a7db6e10f6a667e683347aaea7eaa78cb88780272f334e00913cea3fd39a22a4a72acc27fabd101944b40916f4b534ddeb509bd0232017 nftables.initd"
+58daafb012b7cd0248a7db6e10f6a667e683347aaea7eaa78cb88780272f334e00913cea3fd39a22a4a72acc27fabd101944b40916f4b534ddeb509bd0232017 nftables.initd
+059e0920517ff9f9c564bdfda6a06e8392a2755c01f8d0331a8577fd027713948d3f1e2cbe9da5077870181dc9e425d8c69e4c82ea6ee261fced4ab61aff3ad4 nftables.nft"
diff --git a/main/nftables/nftables.nft b/main/nftables/nftables.nft
new file mode 100644
index 0000000000..a251450358
--- /dev/null
+++ b/main/nftables/nftables.nft
@@ -0,0 +1,78 @@
+#!/usr/sbin/nft -f
+# vim:set ts=4:
+# You can find examples in /usr/share/nftables/.
+
+# Clear all prior state
+flush ruleset
+
+# Basic IPv4/IPv6 stateful firewall for server/workstation.
+table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;
+
+ iifname lo accept \
+ comment "Accept any localhost traffic"
+
+ ct state { established, related } accept \
+ comment "Accept traffic originated from us"
+
+ ct state invalid drop \
+ comment "Drop invalid connections"
+
+ tcp dport 113 reject with icmpx type port-unreachable \
+ comment "Reject AUTH to make it fail fast"
+
+ # ICMPv4
+
+ ip protocol icmp icmp type {
+ echo-reply, # type 0
+ destination-unreachable, # type 3
+ time-exceeded, # type 11
+ parameter-problem, # type 12
+ } accept \
+ comment "Accept ICMP"
+
+ ip protocol icmp icmp type echo-request limit rate 1/second accept \
+ comment "Accept max 1 ping per second"
+
+ # ICMPv6
+
+ ip6 nexthdr icmpv6 icmpv6 type {
+ destination-unreachable, # type 1
+ packet-too-big, # type 2
+ time-exceeded, # type 3
+ parameter-problem, # type 4
+ echo-reply, # type 129
+ } accept \
+ comment "Accept basic IPv6 functionality"
+
+ ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 1/second accept \
+ comment "Accept max 1 ping per second"
+
+ ip6 nexthdr icmpv6 icmpv6 type {
+ nd-router-solicit, # type 133
+ nd-router-advert, # type 134
+ nd-neighbor-solicit, # type 135
+ nd-neighbor-advert, # type 136
+ } ip6 hoplimit 255 accept \
+ comment "Allow IPv6 SLAAC"
+
+ ip6 nexthdr icmpv6 icmpv6 type {
+ mld-listener-query, # type 130
+ mld-listener-report, # type 131
+ mld-listener-reduction, # type 132
+ mld2-listener-report, # type 143
+ } ip6 saddr fe80::/10 accept \
+ comment "Allow IPv6 multicast listener discovery on link-local"
+ }
+
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ }
+
+ chain output {
+ type filter hook output priority 0; policy accept;
+ }
+}
+
+include "/etc/nftables.d/*.nft"