add blog post about my notebook firewall
This commit is contained in:
parent
a1e9824764
commit
d236e71fb0
1 changed files with 81 additions and 0 deletions
81
blog/my-notebook-firewall-36c3.mdwn
Normal file
81
blog/my-notebook-firewall-36c3.mdwn
Normal file
|
@ -0,0 +1,81 @@
|
|||
[[!meta title="My notebook firewall for the 36c3"]]
|
||||
|
||||
It's time for the
|
||||
[36c3](https://events.ccc.de/congress/2019/wiki/index.php/Main_Page)
|
||||
and to verify that some things are in place where they should be.
|
||||
|
||||
As some of you might know, I am using
|
||||
[IPv6 extensively](https://ipv6onlyhosting.com) to provide
|
||||
services anywhere on anything, so you will see quite some IPv6 related
|
||||
rules in my configuration.
|
||||
|
||||
This post should serve two purpose:
|
||||
|
||||
* Inspire others to verify their network settings prior to the
|
||||
congress
|
||||
* Get feedback from anyone spotting a huge mistake in my config :-)
|
||||
|
||||
## The firewall rules
|
||||
|
||||
I am using
|
||||
[nftables](https://ungleich.ch/en-us/cms/blog/2018/09/11/introduction-to-nftables/)
|
||||
on my notebook and the ruleset is shown below:
|
||||
|
||||
|
||||
```
|
||||
table ip filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
|
||||
ct state established,related accept
|
||||
tcp dport { 22 } accept
|
||||
}
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
policy drop;
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
policy accept;
|
||||
}
|
||||
}
|
||||
table ip6 filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
|
||||
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||
|
||||
ct state established,related accept
|
||||
tcp dport { 22, 80, 443 } accept
|
||||
|
||||
log
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
policy accept;
|
||||
|
||||
ct state established,related accept
|
||||
|
||||
ip6 daddr 2a0a:e5c1:137:b00::/64 jump docker_container
|
||||
}
|
||||
|
||||
chain docker_container {
|
||||
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||
|
||||
tcp dport { 22, 443 } accept
|
||||
drop
|
||||
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
policy accept;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
|
||||
[[!tag ccc firewall nftables ipv6]]
|
Loading…
Add table
Reference in a new issue