[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/den
From: |
Stefan Monnier |
Subject: |
[elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/deny rules from alpha as an example |
Date: |
Mon, 23 May 2022 09:27:23 -0400 (EDT) |
branch: externals/nftables-mode
commit e47799589c89a768a87d332a712b2e02f3d33814
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>
add remaining allow/deny rules from alpha as an example
---
nftables-router.nft | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/nftables-router.nft b/nftables-router.nft
index 8a478043ef..dd0bb69684 100644
--- a/nftables-router.nft
+++ b/nftables-router.nft
@@ -175,7 +175,9 @@ table inet my_filter {
# YOUR RULES HERE.
# NOTE: service names resolve via nss (/etc/hosts) only in nft 0.9.1+!
tcp dport ssh accept
- tcp dport { http, https } accept
+ tcp dport smtp reject comment "alpha is null-listed first MX for CCA
(antispam measure)."
+ iifname {lan, dmz, byod} tcp dport domain accept
+ iifname {lan, dmz, byod} udp dport {domain, ntp, bootps, tftp} accept
jump my_epilogue
}
@@ -190,7 +192,7 @@ table inet my_filter {
# If a pwned devices spams the internet,
# your entire network will be blacklisted!
- # To avoid this, blacklist outbound SMTP (25/tcp) from non-MTA hosts.
+ # To avoid this, block outbound SMTP (25/tcp) from non-MTA hosts.
# MSAs (e.g. Outlook) are not affected, because they use submission
(587/tcp).
#
# NOTE: this must appear BEFORE "allow all to internet", obviously.
@@ -246,16 +248,27 @@ table inet my_filter {
# oifname dmz jump my_dmz
# iifname lan accept
- ### NOTE: a single rule CAN match "allow 53/tcp and 53/udp", but it's
UGLY, so we don't.
- ### NOTE: I assume you used systemd (networkd or udev) to rename
"enp0s0f0" to "lan".
- tcp dport ssh accept
- tcp dport { http, https } accept
- iifname lan tcp dport domain accept
- iifname lan udp dport { domain, ntp, bootps } accept
+ ## Allow connections to protected (non DMZ) services.
+ ## FIXME: this is all IPv4 only! We need equivalent rules for IPv6 as
well!!!
+ iifname dmz ip daddr @ldap_servers tcp dport ldaps
accept comment "Centralized authentication"
+ iifname {lan, byod} ip daddr @irc_servers tcp dport ircd
accept comment "IRC from laptops"
+ iifname {dmz, lan, byod} ip daddr @apt_servers tcp dport {http,
3142} accept comment "APT mirror access (3142 = apt-cacher-ng)"
+ iifname {dmz, lan, byod} ip daddr @log_servers tcp dport 2514
accept comment "RELP (modern syslog)"
+ iifname {dmz, lan, byod} ip daddr @log_servers udp dport syslog
accept comment "*legacy* syslog (inc. wifi APs on BYOD network)"
+ ip saddr @ssh_servers tcp dport ssh
accept comment "SSH *FROM* login gateway to anything else"
+ ip saddr @www_servers tcp dport https
accept comment "HTTPS *FROM* reverse proxy to backend web apps"
jump my_epilogue
}
+ # This is mostly for transition from omega (one IP per service) to
new-omega (one IP for all services).
+ # When the transition is done, we can flatten all of this down.
+ set ldap_servers { type ipv4_addr; elements={203.7.155.214, 203.7.155.154}
}
+ set irc_servers { type ipv4_addr; elements={203.7.155.214, 203.7.155.134}
}
+ set apt_servers { type ipv4_addr; elements={203.7.155.214, 203.7.155.153}
}
+ set log_servers { type ipv4_addr; elements={203.7.155.214, 203.7.155.157}
}
+ set ssh_servers { type ipv4_addr; elements={203.7.155.214, 203.7.155.5} }
+ set www_servers { type ipv4_addr; elements={203.7.155.214, 203.7.155.8} }
# We want output to be "allow all", so we don't even create a chain.
#chain my_output {
@@ -311,6 +324,7 @@ table inet my_filter {
chain my_epilogue {
# Finally, politely reject all other attempts.
# Omit to use the default policy ("policy drop", above) instead.
+ iifname internet drop # FIXME: why drop, not reject??
reject
}
- [elpa] externals/nftables-mode 3e71d87a8c 23/41: Chuck out the stateless vmap example from the "simple version" firewall, (continued)
- [elpa] externals/nftables-mode 3e71d87a8c 23/41: Chuck out the stateless vmap example from the "simple version" firewall, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode bf11cb5fec 06/41: merge the RFC4890 input and forward vmaps into a single common vmap, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 78a1a48898 04/41: cannot reject as default policy, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7350707c88 12/41: forked from nftables-host.nft, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode b466c545f5 14/41: Example NAT rules (load OK, but haven't actually tested packets going through them), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode b2991ce112 05/41: Notes from RFC4890 (separate vmaps initially), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode f354d71598 13/41: break prologue (nee PRELUDE) out of input, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 35e908d774 03/41: just a backup copy in case I lose the original somewhere, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 14856f12c1 20/41: more notes, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 6fbf0a5557 01/41: Update iptab imports from twb's personal git repo., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/deny rules from alpha as an example,
Stefan Monnier <=
- [elpa] externals/nftables-mode fb87ee1e07 24/41: Use stateful ICMP/ICMPv6 filtering by default (but leave the vmaps as documentation), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode d04e123fc3 29/41: fixup! reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 4974259919 30/41: typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3e9c8cf907 32/41: fixup! typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70910dbc2a 35/41: Merge remote-tracking branch 'KB/master', Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 109dfa382a 33/41: Remove "list ruleset" due to https://bugs.debian.org/982576, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7f924acbac 37/41: basic README for github, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode a207b02bd6 40/41: Lightly edited, adding some of the normal conventions for .el files, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 1817c43fb9 02/41: Initial example nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 242fae1e71 11/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha, Stefan Monnier, 2022/05/23