[elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/den

emacs-elpa-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/den

From:	Stefan Monnier
Subject:	[elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/deny rules from alpha as an example
Date:	Mon, 23 May 2022 09:27:23 -0400 (EDT)

branch: externals/nftables-mode
commit e47799589c89a768a87d332a712b2e02f3d33814
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>

    add remaining allow/deny rules from alpha as an example
---
 nftables-router.nft | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/nftables-router.nft b/nftables-router.nft
index 8a478043ef..dd0bb69684 100644
--- a/nftables-router.nft
+++ b/nftables-router.nft
@@ -175,7 +175,9 @@ table inet my_filter {
         # YOUR RULES HERE.
         # NOTE: service names resolve via nss (/etc/hosts) only in nft 0.9.1+!
         tcp dport ssh  accept
-        tcp dport { http, https }  accept
+        tcp dport smtp  reject  comment "alpha is null-listed first MX for CCA 
(antispam measure)."
+        iifname {lan, dmz, byod}  tcp dport domain  accept
+        iifname {lan, dmz, byod}  udp dport {domain, ntp, bootps, tftp}  accept
 
         jump my_epilogue
     }
@@ -190,7 +192,7 @@ table inet my_filter {
 
         # If a pwned devices spams the internet,
         # your entire network will be blacklisted!
-        # To avoid this, blacklist outbound SMTP (25/tcp) from non-MTA hosts.
+        # To avoid this, block outbound SMTP (25/tcp) from non-MTA hosts.
         # MSAs (e.g. Outlook) are not affected, because they use submission 
(587/tcp).
         #
         # NOTE: this must appear BEFORE "allow all to internet", obviously.
@@ -246,16 +248,27 @@ table inet my_filter {
         #    oifname dmz       jump my_dmz
         #    iifname lan       accept
 
-        ### NOTE: a single rule CAN match "allow 53/tcp and 53/udp", but it's 
UGLY, so we don't.
-        ### NOTE: I assume you used systemd (networkd or udev) to rename 
"enp0s0f0" to "lan".
-        tcp dport ssh  accept
-        tcp dport { http, https }  accept
-        iifname lan  tcp dport domain  accept
-        iifname lan  udp dport { domain, ntp, bootps }  accept
+        ## Allow connections to protected (non DMZ) services.
+        ## FIXME: this is all IPv4 only!  We need equivalent rules for IPv6 as 
well!!!
+        iifname dmz               ip daddr @ldap_servers  tcp dport ldaps      
   accept  comment "Centralized authentication"
+        iifname {lan, byod}       ip daddr @irc_servers   tcp dport ircd       
   accept  comment "IRC from laptops"
+        iifname {dmz, lan, byod}  ip daddr @apt_servers   tcp dport {http, 
3142}  accept  comment "APT mirror access (3142 = apt-cacher-ng)"
+        iifname {dmz, lan, byod}  ip daddr @log_servers   tcp dport 2514       
   accept  comment "RELP (modern syslog)"
+        iifname {dmz, lan, byod}  ip daddr @log_servers   udp dport syslog     
   accept  comment "*legacy* syslog (inc. wifi APs on BYOD network)"
+                                  ip saddr @ssh_servers   tcp dport ssh        
   accept  comment "SSH *FROM* login gateway to anything else"
+                                  ip saddr @www_servers   tcp dport https      
   accept  comment "HTTPS *FROM* reverse proxy to backend web apps"
 
         jump my_epilogue
     }
 
+    # This is mostly for transition from omega (one IP per service) to 
new-omega (one IP for all services).
+    # When the transition is done, we can flatten all of this down.
+    set ldap_servers { type ipv4_addr; elements={203.7.155.214, 203.7.155.154} 
}
+    set irc_servers  { type ipv4_addr; elements={203.7.155.214, 203.7.155.134} 
}
+    set apt_servers  { type ipv4_addr; elements={203.7.155.214, 203.7.155.153} 
}
+    set log_servers  { type ipv4_addr; elements={203.7.155.214, 203.7.155.157} 
}
+    set ssh_servers  { type ipv4_addr; elements={203.7.155.214, 203.7.155.5} }
+    set www_servers  { type ipv4_addr; elements={203.7.155.214, 203.7.155.8} }
 
     # We want output to be "allow all", so we don't even create a chain.
     #chain my_output {
@@ -311,6 +324,7 @@ table inet my_filter {
     chain my_epilogue {
         # Finally, politely reject all other attempts.
         # Omit to use the default policy ("policy drop", above) instead.
+        iifname internet  drop  # FIXME: why drop, not reject??
         reject
     }

[Prev in Thread]

Current Thread

[Next in Thread]

[elpa] externals/nftables-mode 3e71d87a8c 23/41: Chuck out the stateless vmap example from the "simple version" firewall, (continued)
- [elpa] externals/nftables-mode 3e71d87a8c 23/41: Chuck out the stateless vmap example from the "simple version" firewall, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode bf11cb5fec 06/41: merge the RFC4890 input and forward vmaps into a single common vmap, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 78a1a48898 04/41: cannot reject as default policy, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7350707c88 12/41: forked from nftables-host.nft, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode b466c545f5 14/41: Example NAT rules (load OK, but haven't actually tested packets going through them), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode b2991ce112 05/41: Notes from RFC4890 (separate vmaps initially), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode f354d71598 13/41: break prologue (nee PRELUDE) out of input, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 35e908d774 03/41: just a backup copy in case I lose the original somewhere, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 14856f12c1 20/41: more notes, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 6fbf0a5557 01/41: Update iptab imports from twb's personal git repo., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/deny rules from alpha as an example, Stefan Monnier <=
- [elpa] externals/nftables-mode fb87ee1e07 24/41: Use stateful ICMP/ICMPv6 filtering by default (but leave the vmaps as documentation), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode d04e123fc3 29/41: fixup! reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 4974259919 30/41: typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3e9c8cf907 32/41: fixup! typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70910dbc2a 35/41: Merge remote-tracking branch 'KB/master', Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 109dfa382a 33/41: Remove "list ruleset" due to https://bugs.debian.org/982576, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7f924acbac 37/41: basic README for github, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode a207b02bd6 40/41: Lightly edited, adding some of the normal conventions for .el files, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 1817c43fb9 02/41: Initial example nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 242fae1e71 11/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha, Stefan Monnier, 2022/05/23

Prev by Date: [elpa] externals/nftables-mode 6fbf0a5557 01/41: Update iptab imports from twb's personal git repo.
Next by Date: [elpa] externals/nftables-mode fb87ee1e07 24/41: Use stateful ICMP/ICMPv6 filtering by default (but leave the vmaps as documentation)
Previous by thread: [elpa] externals/nftables-mode 6fbf0a5557 01/41: Update iptab imports from twb's personal git repo.
Next by thread: [elpa] externals/nftables-mode fb87ee1e07 24/41: Use stateful ICMP/ICMPv6 filtering by default (but leave the vmaps as documentation)
Index(es):
- Date
- Thread