82 lines
2.3 KiB
Markdown
82 lines
2.3 KiB
Markdown
[[!meta title="My notebook firewall for the 36c3"]]
|
|
|
|
It's time for the
|
|
[36c3](https://events.ccc.de/congress/2019/wiki/index.php/Main_Page)
|
|
and to verify that some things are in place where they should be.
|
|
|
|
As some of you might know, I am using
|
|
[IPv6 extensively](https://ipv6onlyhosting.com) to provide
|
|
services anywhere on anything, so you will see quite some IPv6 related
|
|
rules in my configuration.
|
|
|
|
This post should serve two purpose:
|
|
|
|
* Inspire others to verify their network settings prior to the
|
|
congress
|
|
* Get feedback from anyone spotting a huge mistake in my config :-)
|
|
|
|
## The firewall rules
|
|
|
|
I am using
|
|
[nftables](https://ungleich.ch/en-us/cms/blog/2018/09/11/introduction-to-nftables/)
|
|
on my notebook and the ruleset is shown below:
|
|
|
|
|
|
```
|
|
table ip filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
policy drop;
|
|
|
|
ct state established,related accept
|
|
tcp dport { 22 } accept
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
policy drop;
|
|
}
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
policy accept;
|
|
}
|
|
}
|
|
table ip6 filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
policy drop;
|
|
|
|
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
|
|
|
ct state established,related accept
|
|
tcp dport { 22, 80, 443 } accept
|
|
|
|
log
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
policy accept;
|
|
|
|
ct state established,related accept
|
|
|
|
ip6 daddr 2a0a:e5c1:137:b00::/64 jump docker_container
|
|
}
|
|
|
|
chain docker_container {
|
|
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
|
|
|
tcp dport { 22, 443 } accept
|
|
drop
|
|
|
|
}
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
policy accept;
|
|
}
|
|
}
|
|
```
|
|
|
|
|
|
|
|
[[!tag ccc firewall nftables ipv6]]
|