add blog post about my notebook firewall

2019-12-23 18:23:28 +01:00 · 2019-12-23 18:23:28 +01:00 · d236e71fb0
parent a1e9824764
commit d236e71fb0
1 changed files with 81 additions and 0 deletions
--- a/blog/my-notebook-firewall-36c3.mdwn
+++ b/blog/my-notebook-firewall-36c3.mdwn
@ -0,0 +1,81 @@
+[[!meta title="My notebook firewall for the 36c3"]]
+
+It's time for the
+[36c3](https://events.ccc.de/congress/2019/wiki/index.php/Main_Page)
+and to verify that some things are in place where they should be.
+
+As some of you might know, I am using
+[IPv6 extensively](https://ipv6onlyhosting.com) to provide
+services anywhere on anything, so you will see quite some IPv6 related
+rules in my configuration.
+
+This post should serve two purpose:
+
+* Inspire others to verify their network settings prior to the
+  congress
+* Get feedback from anyone spotting a huge mistake in my config :-)
+
+## The firewall rules
+
+I am using
+[nftables](https://ungleich.ch/en-us/cms/blog/2018/09/11/introduction-to-nftables/)
+on my notebook and the ruleset is shown below:
+
+
+```
+table ip filter {
+        chain input {
+                type filter hook input priority 0;
+                policy drop;
+
+                ct state established,related accept
+                tcp dport { 22 } accept
+        }
+        chain forward {
+                type filter hook forward priority 0;
+                policy drop;
+        }
+        chain output {
+                type filter hook output priority 0;
+                policy accept;
+        }
+}
+table ip6 filter {
+        chain input {
+                type filter hook input priority 0;
+                policy drop;
+
+                icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+
+                ct state established,related accept
+                tcp dport { 22, 80, 443 } accept
+
+                log
+        }
+
+        chain forward {
+                type filter hook forward priority 0;
+                policy accept;
+
+                ct state established,related accept
+
+                ip6 daddr 2a0a:e5c1:137:b00::/64 jump docker_container
+        }
+
+        chain docker_container {
+        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+
+                tcp dport { 22, 443 } accept
+                drop
+
+        }
+        chain output {
+                type filter hook output priority 0;
+                policy accept;
+        }
+}
+```
+
+
+
+[[!tag ccc firewall nftables ipv6]]