[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] externals/nftables-mode 7b031a2014 36/41: Merge remote-tracking b
|
From: |
Stefan Monnier |
|
Subject: |
[elpa] externals/nftables-mode 7b031a2014 36/41: Merge remote-tracking branch 'ansible/master' |
|
Date: |
Mon, 23 May 2022 09:27:25 -0400 (EDT) |
branch: externals/nftables-mode
commit 7b031a2014439eb466422c196da1ed45833b2149
Merge: 70910dbc2a 109dfa382a
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>
Merge remote-tracking branch 'ansible/master'
---
nftables-host.nft | 14 ++++++++++----
nftables-router.nft | 12 ++++++------
2 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/nftables-host.nft b/nftables-host.nft
index aae3681b38..11afc39b97 100644
--- a/nftables-host.nft
+++ b/nftables-host.nft
@@ -55,7 +55,7 @@
#### NOTE: iptables ALWAYS counts how many packets/bytes hit every chain and
rule.
#### nftables makes this OPT IN, e.g. change "accept" to "counter
accept".
#### iptables-save -c would print "[pkts:bytes] -A ...".
-#### nftables list rulset will print "... counter packgets 12 bytes 34
...".
+#### nftables list ruleset will print "... counter packgets 12 bytes 34
...".
####
#### Since counters are useful during debugging but not production,
#### I have left them out of this example.
@@ -90,7 +90,11 @@
# FIXME: I tried that, and I got locked out of SSH!
# What it did was remove all the rules, but NOT the chains, so
# the default-deny policy dropped EVERYTHING!!!
-flush ruleset
+## NOTE: we add+delete each table (not "flush ruleset"), because
+## otherwise we would wipe out sshguard table.
+#flush ruleset
+add table inet my_filter # idempotent
+delete table inet my_filter # not idempotent
table inet my_filter {
@@ -149,6 +153,8 @@ table inet my_filter {
}
# This is here to aid debugging.
-# Note that its output WILL NOT MATCH a later "nft list rulset".
+# Note that its output WILL NOT MATCH a later "nft list ruleset".
# Also, it is buggy, e.g. the ICMPv6_RFC4890_policy it prints has gibberish in
v0.9.1.
-list ruleset
+# UPDATE: in nftables=0.9.8-3 it sometimes core dumps!
https://bugs.debian.org/982576
+# Therefore comment out for now.
+#list ruleset
diff --git a/nftables-router.nft b/nftables-router.nft
index 7c42052241..58991966be 100644
--- a/nftables-router.nft
+++ b/nftables-router.nft
@@ -103,7 +103,7 @@
#### NOTE: iptables ALWAYS counts how many packets/bytes hit every chain and
rule.
#### nftables makes this OPT IN, e.g. change "accept" to "counter
accept".
#### iptables-save -c would print "[pkts:bytes] -A ...".
-#### nftables list rulset will print "... counter packgets 12 bytes 34
...".
+#### nftables list ruleset will print "... counter packets 12 bytes 34
...".
####
#### Since counters are useful during debugging but not production,
#### I have left them out of this example.
@@ -429,8 +429,6 @@ table inet my_filter {
## Does this cover submission 587/tcp (postfix)?
##
## * EXCEPT, sshguard doesn't do apache or nginx, so fail2ban on the www
hosts?
- ## UPDATE: sshguard supports apache/nginx if you tell it to read
- ## the relevant NCSA-format logfile.
##
## * postscreen covers smtp (25/tcp).
@@ -473,7 +471,7 @@ table inet my_filter {
pop3, pop3s, imap, # we don't use it
microsoft-ds, # we don't use it (SMB)
mysql, postgresql, ms-sql-s, # we don't use it (from the
internet, without a VPN)
- pptp, # we don't use it
+ 1723, # we don't use it (PPTP)
login, # we don't use it
}; }
# CONSIDERED AND REJECTED FOR my_IPS_TCP_ports
@@ -543,7 +541,7 @@ table inet my_filter {
# Allow all ICMPv6 is wrong (insecure);
# Deny all ICMPv6 is wrong (breaks IPv6).
- # The following vmap merges RFC 4890 4.4 (for hosts) and 4.4 (for routers).
+ # The following vmap merges RFC 4890 4.43(for hosts) and 4.4 (for routers).
# Fortunately, the only verdict conflicts occur in
# "Traffic That Will Be Dropped Anyway" sections, so we can share this vmap
# between hook input (host) and hook forward (router).
@@ -684,4 +682,6 @@ table ip my_nat {
# This is here to aid debugging.
# Note that its output WILL NOT MATCH a later "nft list ruleset".
# Also, it is buggy, e.g. the ICMPv6_RFC4890_policy it prints has gibberish in
v0.9.1.
-list ruleset
+# UPDATE: in nftables=0.9.8-3 it sometimes core dumps!
https://bugs.debian.org/982576
+# Therefore comment out for now.
+#list ruleset
- [elpa] externals/nftables-mode 34ffd618ac 19/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha!, (continued)
- [elpa] externals/nftables-mode 34ffd618ac 19/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 166b789260 22/41: old comments, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 9bc4a6f589 25/41: Don't do "flush ruleset" (i.e. expect auxiliary tables w/ race conditions), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 94f54f52ec 28/41: reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3fd8b3f79e 26/41: comment tweaks, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 760486c219 27/41: update note from sshguard, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70b0e577a6 31/41: Debian doesn't have "pptp" in /etc/services, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 20fa3d3a55 38/41: Oops, this was never under version control before., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 869f14abf4 34/41: Initial import., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3a03651cda 39/41: Old changes that I forgot to commit, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7b031a2014 36/41: Merge remote-tracking branch 'ansible/master',
Stefan Monnier <=
- [elpa] externals/nftables-mode 05600129ee 41/41: Minor changes to follow more conventions, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 9058451303 09/41: correct for Towards a Perfect Ruleset number, Stefan Monnier, 2022/05/23