82 lines
2.3 KiB
Plaintext
82 lines
2.3 KiB
Plaintext
|
[[!meta title="My notebook firewall for the 36c3"]]
|
||
|
|
||
|
It's time for the
|
||
|
[36c3](https://events.ccc.de/congress/2019/wiki/index.php/Main_Page)
|
||
|
and to verify that some things are in place where they should be.
|
||
|
|
||
|
As some of you might know, I am using
|
||
|
[IPv6 extensively](https://ipv6onlyhosting.com) to provide
|
||
|
services anywhere on anything, so you will see quite some IPv6 related
|
||
|
rules in my configuration.
|
||
|
|
||
|
This post should serve two purpose:
|
||
|
|
||
|
* Inspire others to verify their network settings prior to the
|
||
|
congress
|
||
|
* Get feedback from anyone spotting a huge mistake in my config :-)
|
||
|
|
||
|
## The firewall rules
|
||
|
|
||
|
I am using
|
||
|
[nftables](https://ungleich.ch/en-us/cms/blog/2018/09/11/introduction-to-nftables/)
|
||
|
on my notebook and the ruleset is shown below:
|
||
|
|
||
|
|
||
|
```
|
||
|
table ip filter {
|
||
|
chain input {
|
||
|
type filter hook input priority 0;
|
||
|
policy drop;
|
||
|
|
||
|
ct state established,related accept
|
||
|
tcp dport { 22 } accept
|
||
|
}
|
||
|
chain forward {
|
||
|
type filter hook forward priority 0;
|
||
|
policy drop;
|
||
|
}
|
||
|
chain output {
|
||
|
type filter hook output priority 0;
|
||
|
policy accept;
|
||
|
}
|
||
|
}
|
||
|
table ip6 filter {
|
||
|
chain input {
|
||
|
type filter hook input priority 0;
|
||
|
policy drop;
|
||
|
|
||
|
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||
|
|
||
|
ct state established,related accept
|
||
|
tcp dport { 22, 80, 443 } accept
|
||
|
|
||
|
log
|
||
|
}
|
||
|
|
||
|
chain forward {
|
||
|
type filter hook forward priority 0;
|
||
|
policy accept;
|
||
|
|
||
|
ct state established,related accept
|
||
|
|
||
|
ip6 daddr 2a0a:e5c1:137:b00::/64 jump docker_container
|
||
|
}
|
||
|
|
||
|
chain docker_container {
|
||
|
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||
|
|
||
|
tcp dport { 22, 443 } accept
|
||
|
drop
|
||
|
|
||
|
}
|
||
|
chain output {
|
||
|
type filter hook output priority 0;
|
||
|
policy accept;
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
|
||
|
|
||
|
[[!tag ccc firewall nftables ipv6]]
|