Groups | Search | Server Info | Login | Register

Groups > linux.debian.maint.firewall > #102

Re: new to nft

From Pascal Hambourg <pascal@plouf.fr.eu.org>
Newsgroups linux.debian.maint.firewall
Subject Re: new to nft
Date 2021-01-13 20:20 +0100
Message-ID <BwTQu-7vW-3@gated-at.bofh.it> (permalink)
References <BwRvj-618-1@gated-at.bofh.it>
Organization Plouf !

Show all headers | View raw

Le 13/01/2021 à 17:40, François Patte a écrit :
> 
> I begin to use nftables and wrote thes rules:
>      chain input { # handle 1
>          type filter hook input priority 0; policy drop;
>          ct state established,related accept # handle 4
>          ip saddr 192.168.1.0/24 accept # handle 5
>          ip6 saddr fe80::/10 accept # handle 6
>          ct state invalid drop # handle 7
>          iifname "lo" accept # handle 8
>          tcp dport 22222 accept # handle 9
>          log # handle 10
>      }
> 
> I expect to block all traffic from anywhere except on the local network 
> (192.168.1.0/24)

"on the local network" does not make any sense, and, this ruleset fails 
to drop all traffic from anywhere but 192.168.1.0/24 :

           ct state established,related accept # handle 4

accepts traffic from any address, and

           iifname "lo" accept # handle 8

accepts traffic from 127.0.0.0/8 and any local (host) address.

> Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?

No. 192.168.1.0/24 is a private prefix. Addresses can be configured by 
any conventional method (static, DHCP...). They are routable.

fe80::/10 is the link local prefix. Addresses are automatically assigned 
by the kernel itself. They are not routable.

> The last line "log" is (for me) supposed to log all dropped packets, am 
> I right?

No. It does not log packets already dropped by

           ct state invalid drop # handle 7

> For this last line, logwatch reports "logged packets on interface".
> logwatch with iptables reports "drop packets on the interface"

I wonder how logwatch knows the logged packets are dropped.

> Are these packets dropped or only logged?

What do you trust more ? The chain default policy "drop" or logwatch ?

Back to linux.debian.maint.firewall | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

new to nft François Patte <francois.patte@mi.parisdescartes.fr> - 2021-01-13 17:50 +0100
  Re: new to nft Pascal Hambourg <pascal@plouf.fr.eu.org> - 2021-01-13 20:20 +0100
  new to nft Dennis Filder <d.filder@web.de> - 2021-01-13 23:00 +0100

csiph-web