From d236e71fb097a55860b12b75ce90137e36c10bd2 Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Mon, 23 Dec 2019 18:23:28 +0100
Subject: [PATCH] add blog post about my notebook firewall

---
 blog/my-notebook-firewall-36c3.mdwn | 81 +++++++++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 blog/my-notebook-firewall-36c3.mdwn

diff --git a/blog/my-notebook-firewall-36c3.mdwn b/blog/my-notebook-firewall-36c3.mdwn
new file mode 100644
index 00000000..356eb630
--- /dev/null
+++ b/blog/my-notebook-firewall-36c3.mdwn
@@ -0,0 +1,81 @@
+[[!meta title="My notebook firewall for the 36c3"]]
+
+It's time for the
+[36c3](https://events.ccc.de/congress/2019/wiki/index.php/Main_Page)
+and to verify that some things are in place where they should be.
+
+As some of you might know, I am using
+[IPv6 extensively](https://ipv6onlyhosting.com) to provide
+services anywhere on anything, so you will see quite some IPv6 related
+rules in my configuration.
+
+This post should serve two purpose:
+
+* Inspire others to verify their network settings prior to the
+  congress
+* Get feedback from anyone spotting a huge mistake in my config :-)
+
+## The firewall rules
+
+I am using
+[nftables](https://ungleich.ch/en-us/cms/blog/2018/09/11/introduction-to-nftables/)
+on my notebook and the ruleset is shown below:
+
+
+```
+table ip filter {
+        chain input {
+                type filter hook input priority 0;
+                policy drop;
+
+                ct state established,related accept
+                tcp dport { 22 } accept
+        }
+        chain forward {
+                type filter hook forward priority 0;
+                policy drop;
+        }
+        chain output {
+                type filter hook output priority 0;
+                policy accept;
+        }
+}
+table ip6 filter {
+        chain input {
+                type filter hook input priority 0;
+                policy drop;
+
+                icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+
+                ct state established,related accept
+                tcp dport { 22, 80, 443 } accept
+
+                log
+        }
+
+        chain forward {
+                type filter hook forward priority 0;
+                policy accept;
+
+                ct state established,related accept
+
+                ip6 daddr 2a0a:e5c1:137:b00::/64 jump docker_container
+        }
+
+        chain docker_container {
+        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+
+                tcp dport { 22, 443 } accept
+                drop
+
+        }
+        chain output {
+                type filter hook output priority 0;
+                policy accept;
+        }
+}
+```
+
+
+
+[[!tag ccc firewall nftables ipv6]]