Groups | Search | Server Info | Login | Register
Groups > linux.debian.maint.firewall > #102
| Path | csiph.com!newsfeed.xs4all.nl!newsfeed7.news.xs4all.nl!3.eu.feeder.erje.net!feeder.erje.net!usenet.goja.nl.eu.org!aioe.org!bofh.it!news.nic.it!robomod |
|---|---|
| From | Pascal Hambourg <pascal@plouf.fr.eu.org> |
| Newsgroups | linux.debian.maint.firewall |
| Subject | Re: new to nft |
| Date | Wed, 13 Jan 2021 20:20:02 +0100 |
| Message-ID | <BwTQu-7vW-3@gated-at.bofh.it> (permalink) |
| References | <BwRvj-618-1@gated-at.bofh.it> |
| X-Original-To | debian-firewall@lists.debian.org |
| X-Mailbox-Line | From debian-firewall-request@lists.debian.org Wed Jan 13 19:16:59 2021 |
| Old-Return-Path | <pascal@plouf.fr.eu.org> |
| X-Amavis-Spam-Status | No, score=-8.149 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, BODY_8BITS=1.5, FOURLA=0.1, LDO_WHITELIST=-5, NICE_REPLY_A=-2.749, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no |
| Organization | Plouf ! |
| User-Agent | Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8; format=flowed |
| Content-Language | en-US |
| Content-Transfer-Encoding | 8bit |
| X-Mailing-List | <debian-firewall@lists.debian.org> archive/latest/9540 |
| List-ID | <debian-firewall.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-firewall/> |
| List-Archive | https://lists.debian.org/msgid-search/064e40ab-2b1a-9722-844a-132ef34dcce7@plouf.fr.eu.org |
| Approved | robomod@news.nic.it |
| Lines | 51 |
| Sender | robomod@news.nic.it |
| X-Original-Date | Wed, 13 Jan 2021 20:16:42 +0100 |
| X-Original-Message-ID | <064e40ab-2b1a-9722-844a-132ef34dcce7@plouf.fr.eu.org> |
| X-Original-References | <9e22c72d-334f-5cb9-1fb4-d654c7146189@mi.parisdescartes.fr> |
| Xref | csiph.com linux.debian.maint.firewall:102 |
Show key headers only | View raw
Le 13/01/2021 à 17:40, François Patte a écrit :
>
> I begin to use nftables and wrote thes rules:
> chain input { # handle 1
> type filter hook input priority 0; policy drop;
> ct state established,related accept # handle 4
> ip saddr 192.168.1.0/24 accept # handle 5
> ip6 saddr fe80::/10 accept # handle 6
> ct state invalid drop # handle 7
> iifname "lo" accept # handle 8
> tcp dport 22222 accept # handle 9
> log # handle 10
> }
>
> I expect to block all traffic from anywhere except on the local network
> (192.168.1.0/24)
"on the local network" does not make any sense, and, this ruleset fails
to drop all traffic from anywhere but 192.168.1.0/24 :
ct state established,related accept # handle 4
accepts traffic from any address, and
iifname "lo" accept # handle 8
accepts traffic from 127.0.0.0/8 and any local (host) address.
> Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?
No. 192.168.1.0/24 is a private prefix. Addresses can be configured by
any conventional method (static, DHCP...). They are routable.
fe80::/10 is the link local prefix. Addresses are automatically assigned
by the kernel itself. They are not routable.
> The last line "log" is (for me) supposed to log all dropped packets, am
> I right?
No. It does not log packets already dropped by
ct state invalid drop # handle 7
> For this last line, logwatch reports "logged packets on interface".
> logwatch with iptables reports "drop packets on the interface"
I wonder how logwatch knows the logged packets are dropped.
> Are these packets dropped or only logged?
What do you trust more ? The chain default policy "drop" or logwatch ?
Back to linux.debian.maint.firewall | Previous | Next — Previous in thread | Next in thread | Find similar
new to nft François Patte <francois.patte@mi.parisdescartes.fr> - 2021-01-13 17:50 +0100 Re: new to nft Pascal Hambourg <pascal@plouf.fr.eu.org> - 2021-01-13 20:20 +0100 new to nft Dennis Filder <d.filder@web.de> - 2021-01-13 23:00 +0100
csiph-web