Groups | Search | Server Info | Login | Register

Groups > linux.debian.maint.firewall > #103

new to nft

Show all headers | View raw

On Wed, Jan 13, 2021 at 05:40:20PM +0100, François Patte wrote:

> Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?

That is the address range for link-local addresses assigned via
stateless address autoconfiguration.  Think of it as an IP address
derived from the unique MAC address that gets automatically assigned.
It's not routable, i.e. you can only communicate with computers on the
local network, so you'd usually assign other IPv6 addresses that are
routable.

> I expect too accept connections from the internet to port 22222

I would specify the incoming interface here, too, just for clarity.

> The last line "log" is (for me) supposed to log all dropped packets, am I
> right?

Yes.

> For this last line, logwatch reports "logged packets on interface".
> logwatch with iptables reports "drop packets on the interface"
>
> Are these packets dropped or only logged?

Both.  The log messages should show up in the output of "dmesg".  I
usually use rules like this:

  log prefix "filter_inet:c_f_in  " flags all

This tells my which chain caused that log entry and some more details.
You could also use:

  counter log prefix "filter_inet:c_f_in  " flags all

It should add a counter of how often that rule was matched.  You can
inspect it with "list ruleset" or by listing that rule by its handle.

Regards,
Dennis.

Back to linux.debian.maint.firewall | Previous | Next — Previous in thread | Find similar

Thread

new to nft François Patte <francois.patte@mi.parisdescartes.fr> - 2021-01-13 17:50 +0100
  Re: new to nft Pascal Hambourg <pascal@plouf.fr.eu.org> - 2021-01-13 20:20 +0100
  new to nft Dennis Filder <d.filder@web.de> - 2021-01-13 23:00 +0100

csiph-web