diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-13 22:21:14 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-13 22:21:14 +0100 |
commit | 998fa669ea530f30a716cdfa3c6c8a6068110915 (patch) | |
tree | 3e940e4fbedeb75adcda22a0c29a6ad5ebcb0cbd | |
parent | 1f159ca9d0a0d6bf1281b21850e793e65e39d1dd (diff) | |
download | ap01-998fa669ea530f30a716cdfa3c6c8a6068110915.tar ap01-998fa669ea530f30a716cdfa3c6c8a6068110915.tar.gz ap01-998fa669ea530f30a716cdfa3c6c8a6068110915.tar.bz2 ap01-998fa669ea530f30a716cdfa3c6c8a6068110915.tar.xz ap01-998fa669ea530f30a716cdfa3c6c8a6068110915.zip |
nftables
-rw-r--r-- | files/.config | 76 | ||||
-rw-r--r-- | files/files/etc/config/firewall | 73 | ||||
-rwxr-xr-x | files/files/etc/hotplug.d/iface/20-nftables | 9 | ||||
-rwxr-xr-x | files/files/etc/init.d/nftables | 28 | ||||
-rw-r--r-- | files/files/etc/ruleset.nft | 115 |
5 files changed, 160 insertions, 141 deletions
diff --git a/files/.config b/files/.config index 32d2146..1379f21 100644 --- a/files/.config +++ b/files/.config | |||
@@ -3442,12 +3442,12 @@ CONFIG_PACKAGE_kmod-nf-nat6=m | |||
3442 | # CONFIG_PACKAGE_kmod-nf-nathelper-extra is not set | 3442 | # CONFIG_PACKAGE_kmod-nf-nathelper-extra is not set |
3443 | CONFIG_PACKAGE_kmod-nf-reject=y | 3443 | CONFIG_PACKAGE_kmod-nf-reject=y |
3444 | CONFIG_PACKAGE_kmod-nf-reject6=y | 3444 | CONFIG_PACKAGE_kmod-nf-reject6=y |
3445 | CONFIG_PACKAGE_kmod-nfnetlink=m | 3445 | CONFIG_PACKAGE_kmod-nfnetlink=y |
3446 | # CONFIG_PACKAGE_kmod-nfnetlink-log is not set | 3446 | # CONFIG_PACKAGE_kmod-nfnetlink-log is not set |
3447 | # CONFIG_PACKAGE_kmod-nfnetlink-queue is not set | 3447 | # CONFIG_PACKAGE_kmod-nfnetlink-queue is not set |
3448 | # CONFIG_PACKAGE_kmod-nft-arp is not set | 3448 | # CONFIG_PACKAGE_kmod-nft-arp is not set |
3449 | # CONFIG_PACKAGE_kmod-nft-bridge is not set | 3449 | # CONFIG_PACKAGE_kmod-nft-bridge is not set |
3450 | CONFIG_PACKAGE_kmod-nft-core=m | 3450 | CONFIG_PACKAGE_kmod-nft-core=y |
3451 | CONFIG_PACKAGE_kmod-nft-fib=m | 3451 | CONFIG_PACKAGE_kmod-nft-fib=m |
3452 | CONFIG_PACKAGE_kmod-nft-nat=m | 3452 | CONFIG_PACKAGE_kmod-nft-nat=m |
3453 | CONFIG_PACKAGE_kmod-nft-nat6=m | 3453 | CONFIG_PACKAGE_kmod-nft-nat6=m |
@@ -4963,7 +4963,7 @@ CONFIG_WOLFSSL_HAS_NO_HW=y | |||
4963 | # CONFIG_PACKAGE_icu is not set | 4963 | # CONFIG_PACKAGE_icu is not set |
4964 | # CONFIG_PACKAGE_icu-data-tools is not set | 4964 | # CONFIG_PACKAGE_icu-data-tools is not set |
4965 | # CONFIG_PACKAGE_icu-full-data is not set | 4965 | # CONFIG_PACKAGE_icu-full-data is not set |
4966 | CONFIG_PACKAGE_jansson=m | 4966 | CONFIG_PACKAGE_jansson=y |
4967 | # CONFIG_PACKAGE_json-glib is not set | 4967 | # CONFIG_PACKAGE_json-glib is not set |
4968 | # CONFIG_PACKAGE_jsoncpp is not set | 4968 | # CONFIG_PACKAGE_jsoncpp is not set |
4969 | # CONFIG_PACKAGE_knot-libs is not set | 4969 | # CONFIG_PACKAGE_knot-libs is not set |
@@ -5109,7 +5109,7 @@ CONFIG_PACKAGE_liblua=y | |||
5109 | # CONFIG_PACKAGE_libmilter-sendmail is not set | 5109 | # CONFIG_PACKAGE_libmilter-sendmail is not set |
5110 | # CONFIG_PACKAGE_libminiupnpc is not set | 5110 | # CONFIG_PACKAGE_libminiupnpc is not set |
5111 | # CONFIG_PACKAGE_libmms is not set | 5111 | # CONFIG_PACKAGE_libmms is not set |
5112 | CONFIG_PACKAGE_libmnl=m | 5112 | CONFIG_PACKAGE_libmnl=y |
5113 | # CONFIG_PACKAGE_libmodbus is not set | 5113 | # CONFIG_PACKAGE_libmodbus is not set |
5114 | # CONFIG_PACKAGE_libmosquitto-nossl is not set | 5114 | # CONFIG_PACKAGE_libmosquitto-nossl is not set |
5115 | # CONFIG_PACKAGE_libmosquitto-ssl is not set | 5115 | # CONFIG_PACKAGE_libmosquitto-ssl is not set |
@@ -5133,7 +5133,7 @@ CONFIG_PACKAGE_libncurses=y | |||
5133 | # CONFIG_PACKAGE_libnettle is not set | 5133 | # CONFIG_PACKAGE_libnettle is not set |
5134 | # CONFIG_PACKAGE_libnewt is not set | 5134 | # CONFIG_PACKAGE_libnewt is not set |
5135 | # CONFIG_PACKAGE_libnfnetlink is not set | 5135 | # CONFIG_PACKAGE_libnfnetlink is not set |
5136 | CONFIG_PACKAGE_libnftnl=m | 5136 | CONFIG_PACKAGE_libnftnl=y |
5137 | # CONFIG_PACKAGE_libnghttp2 is not set | 5137 | # CONFIG_PACKAGE_libnghttp2 is not set |
5138 | # CONFIG_PACKAGE_libnl is not set | 5138 | # CONFIG_PACKAGE_libnl is not set |
5139 | # CONFIG_PACKAGE_libnl-core is not set | 5139 | # CONFIG_PACKAGE_libnl-core is not set |
@@ -5496,7 +5496,6 @@ CONFIG_LUCI_CSSTIDY=y | |||
5496 | # CONFIG_PACKAGE_luci-app-smartdns is not set | 5496 | # CONFIG_PACKAGE_luci-app-smartdns is not set |
5497 | # CONFIG_PACKAGE_luci-app-snmpd is not set | 5497 | # CONFIG_PACKAGE_luci-app-snmpd is not set |
5498 | # CONFIG_PACKAGE_luci-app-softether is not set | 5498 | # CONFIG_PACKAGE_luci-app-softether is not set |
5499 | # CONFIG_PACKAGE_luci-app-splash is not set | ||
5500 | # CONFIG_PACKAGE_luci-app-sqm is not set | 5499 | # CONFIG_PACKAGE_luci-app-sqm is not set |
5501 | # CONFIG_PACKAGE_luci-app-squid is not set | 5500 | # CONFIG_PACKAGE_luci-app-squid is not set |
5502 | # CONFIG_PACKAGE_luci-app-statistics is not set | 5501 | # CONFIG_PACKAGE_luci-app-statistics is not set |
@@ -5667,12 +5666,7 @@ CONFIG_PACKAGE_luci-lib-nixio_notls=y | |||
5667 | # | 5666 | # |
5668 | # Captive Portals | 5667 | # Captive Portals |
5669 | # | 5668 | # |
5670 | # CONFIG_PACKAGE_apfree-wifidog is not set | ||
5671 | # CONFIG_PACKAGE_coova-chilli is not set | 5669 | # CONFIG_PACKAGE_coova-chilli is not set |
5672 | # CONFIG_PACKAGE_nodogsplash is not set | ||
5673 | # CONFIG_PACKAGE_opennds is not set | ||
5674 | # CONFIG_PACKAGE_wifidog is not set | ||
5675 | # CONFIG_PACKAGE_wifidog-tls is not set | ||
5676 | # end of Captive Portals | 5670 | # end of Captive Portals |
5677 | 5671 | ||
5678 | # | 5672 | # |
@@ -5738,57 +5732,11 @@ CONFIG_PACKAGE_luci-lib-nixio_notls=y | |||
5738 | # CONFIG_PACKAGE_ebtables is not set | 5732 | # CONFIG_PACKAGE_ebtables is not set |
5739 | # CONFIG_PACKAGE_fwknop is not set | 5733 | # CONFIG_PACKAGE_fwknop is not set |
5740 | # CONFIG_PACKAGE_fwknopd is not set | 5734 | # CONFIG_PACKAGE_fwknopd is not set |
5741 | CONFIG_PACKAGE_ip6tables=y | 5735 | # CONFIG_PACKAGE_ip6tables is not set |
5742 | # CONFIG_PACKAGE_ip6tables-extra is not set | 5736 | # CONFIG_PACKAGE_iptables is not set |
5743 | # CONFIG_PACKAGE_ip6tables-mod-nat is not set | ||
5744 | CONFIG_PACKAGE_iptables=y | ||
5745 | # CONFIG_IPTABLES_CONNLABEL is not set | 5737 | # CONFIG_IPTABLES_CONNLABEL is not set |
5746 | # CONFIG_IPTABLES_NFTABLES is not set | 5738 | # CONFIG_IPTABLES_NFTABLES is not set |
5747 | # CONFIG_PACKAGE_iptables-mod-account is not set | ||
5748 | # CONFIG_PACKAGE_iptables-mod-chaos is not set | ||
5749 | # CONFIG_PACKAGE_iptables-mod-checksum is not set | ||
5750 | # CONFIG_PACKAGE_iptables-mod-cluster is not set | ||
5751 | # CONFIG_PACKAGE_iptables-mod-clusterip is not set | ||
5752 | # CONFIG_PACKAGE_iptables-mod-condition is not set | ||
5753 | # CONFIG_PACKAGE_iptables-mod-conntrack-extra is not set | ||
5754 | # CONFIG_PACKAGE_iptables-mod-delude is not set | ||
5755 | # CONFIG_PACKAGE_iptables-mod-dhcpmac is not set | ||
5756 | # CONFIG_PACKAGE_iptables-mod-dnetmap is not set | ||
5757 | # CONFIG_PACKAGE_iptables-mod-extra is not set | ||
5758 | # CONFIG_PACKAGE_iptables-mod-filter is not set | ||
5759 | # CONFIG_PACKAGE_iptables-mod-fuzzy is not set | ||
5760 | # CONFIG_PACKAGE_iptables-mod-geoip is not set | ||
5761 | # CONFIG_PACKAGE_iptables-mod-hashlimit is not set | ||
5762 | # CONFIG_PACKAGE_iptables-mod-iface is not set | ||
5763 | # CONFIG_PACKAGE_iptables-mod-ipmark is not set | ||
5764 | # CONFIG_PACKAGE_iptables-mod-ipopt is not set | ||
5765 | # CONFIG_PACKAGE_iptables-mod-ipp2p is not set | ||
5766 | # CONFIG_PACKAGE_iptables-mod-iprange is not set | ||
5767 | # CONFIG_PACKAGE_iptables-mod-ipsec is not set | ||
5768 | # CONFIG_PACKAGE_iptables-mod-ipv4options is not set | ||
5769 | # CONFIG_PACKAGE_iptables-mod-led is not set | ||
5770 | # CONFIG_PACKAGE_iptables-mod-length2 is not set | ||
5771 | # CONFIG_PACKAGE_iptables-mod-logmark is not set | ||
5772 | # CONFIG_PACKAGE_iptables-mod-lscan is not set | ||
5773 | # CONFIG_PACKAGE_iptables-mod-lua is not set | ||
5774 | # CONFIG_PACKAGE_iptables-mod-nat-extra is not set | ||
5775 | # CONFIG_PACKAGE_iptables-mod-nflog is not set | ||
5776 | # CONFIG_PACKAGE_iptables-mod-nfqueue is not set | ||
5777 | # CONFIG_PACKAGE_iptables-mod-physdev is not set | ||
5778 | # CONFIG_PACKAGE_iptables-mod-proto is not set | ||
5779 | # CONFIG_PACKAGE_iptables-mod-psd is not set | ||
5780 | # CONFIG_PACKAGE_iptables-mod-quota2 is not set | ||
5781 | # CONFIG_PACKAGE_iptables-mod-rpfilter is not set | ||
5782 | # CONFIG_PACKAGE_iptables-mod-rtpengine is not set | 5739 | # CONFIG_PACKAGE_iptables-mod-rtpengine is not set |
5783 | # CONFIG_PACKAGE_iptables-mod-sysrq is not set | ||
5784 | # CONFIG_PACKAGE_iptables-mod-tarpit is not set | ||
5785 | # CONFIG_PACKAGE_iptables-mod-tee is not set | ||
5786 | # CONFIG_PACKAGE_iptables-mod-tproxy is not set | ||
5787 | # CONFIG_PACKAGE_iptables-mod-trace is not set | ||
5788 | # CONFIG_PACKAGE_iptables-mod-u32 is not set | ||
5789 | # CONFIG_PACKAGE_iptables-mod-ulog is not set | ||
5790 | # CONFIG_PACKAGE_iptaccount is not set | ||
5791 | # CONFIG_PACKAGE_iptgeoip is not set | ||
5792 | 5740 | ||
5793 | # | 5741 | # |
5794 | # Select iptgeoip options | 5742 | # Select iptgeoip options |
@@ -5800,7 +5748,7 @@ CONFIG_PACKAGE_iptables=y | |||
5800 | # CONFIG_PACKAGE_miniupnpd-iptables is not set | 5748 | # CONFIG_PACKAGE_miniupnpd-iptables is not set |
5801 | # CONFIG_PACKAGE_miniupnpd-nftables is not set | 5749 | # CONFIG_PACKAGE_miniupnpd-nftables is not set |
5802 | # CONFIG_PACKAGE_natpmpc is not set | 5750 | # CONFIG_PACKAGE_natpmpc is not set |
5803 | CONFIG_PACKAGE_nftables-json=m | 5751 | CONFIG_PACKAGE_nftables-json=y |
5804 | # CONFIG_PACKAGE_nftables-nojson is not set | 5752 | # CONFIG_PACKAGE_nftables-nojson is not set |
5805 | # CONFIG_PACKAGE_shorewall is not set | 5753 | # CONFIG_PACKAGE_shorewall is not set |
5806 | # CONFIG_PACKAGE_shorewall-core is not set | 5754 | # CONFIG_PACKAGE_shorewall-core is not set |
@@ -6233,7 +6181,6 @@ CONFIG_LLDPD_WITH_CUSTOM=y | |||
6233 | # CONFIG_PACKAGE_chaosvpn is not set | 6181 | # CONFIG_PACKAGE_chaosvpn is not set |
6234 | # CONFIG_PACKAGE_eoip is not set | 6182 | # CONFIG_PACKAGE_eoip is not set |
6235 | # CONFIG_PACKAGE_fastd is not set | 6183 | # CONFIG_PACKAGE_fastd is not set |
6236 | # CONFIG_PACKAGE_libreswan is not set | ||
6237 | # CONFIG_PACKAGE_ocserv is not set | 6184 | # CONFIG_PACKAGE_ocserv is not set |
6238 | # CONFIG_PACKAGE_openconnect is not set | 6185 | # CONFIG_PACKAGE_openconnect is not set |
6239 | # CONFIG_PACKAGE_openfortivpn is not set | 6186 | # CONFIG_PACKAGE_openfortivpn is not set |
@@ -6250,7 +6197,6 @@ CONFIG_LLDPD_WITH_CUSTOM=y | |||
6250 | # CONFIG_PACKAGE_softethervpn5-client is not set | 6197 | # CONFIG_PACKAGE_softethervpn5-client is not set |
6251 | # CONFIG_PACKAGE_softethervpn5-server is not set | 6198 | # CONFIG_PACKAGE_softethervpn5-server is not set |
6252 | # CONFIG_PACKAGE_sstp-client is not set | 6199 | # CONFIG_PACKAGE_sstp-client is not set |
6253 | # CONFIG_PACKAGE_strongswan is not set | ||
6254 | # CONFIG_PACKAGE_tailscale is not set | 6200 | # CONFIG_PACKAGE_tailscale is not set |
6255 | # CONFIG_PACKAGE_tailscaled is not set | 6201 | # CONFIG_PACKAGE_tailscaled is not set |
6256 | # CONFIG_PACKAGE_tinc is not set | 6202 | # CONFIG_PACKAGE_tinc is not set |
@@ -6317,7 +6263,6 @@ CONFIG_PACKAGE_wireguard-tools=y | |||
6317 | # CONFIG_PACKAGE_shadowsocks-libev-config is not set | 6263 | # CONFIG_PACKAGE_shadowsocks-libev-config is not set |
6318 | # CONFIG_PACKAGE_shadowsocks-libev-ss-local is not set | 6264 | # CONFIG_PACKAGE_shadowsocks-libev-ss-local is not set |
6319 | # CONFIG_PACKAGE_shadowsocks-libev-ss-redir is not set | 6265 | # CONFIG_PACKAGE_shadowsocks-libev-ss-redir is not set |
6320 | # CONFIG_PACKAGE_shadowsocks-libev-ss-rules is not set | ||
6321 | # CONFIG_PACKAGE_shadowsocks-libev-ss-server is not set | 6266 | # CONFIG_PACKAGE_shadowsocks-libev-ss-server is not set |
6322 | # CONFIG_PACKAGE_shadowsocks-libev-ss-tunnel is not set | 6267 | # CONFIG_PACKAGE_shadowsocks-libev-ss-tunnel is not set |
6323 | # CONFIG_PACKAGE_sockd is not set | 6268 | # CONFIG_PACKAGE_sockd is not set |
@@ -6328,7 +6273,6 @@ CONFIG_PACKAGE_wireguard-tools=y | |||
6328 | # CONFIG_PACKAGE_trojan-go is not set | 6273 | # CONFIG_PACKAGE_trojan-go is not set |
6329 | # CONFIG_PACKAGE_uhttpd is not set | 6274 | # CONFIG_PACKAGE_uhttpd is not set |
6330 | # CONFIG_PACKAGE_uwsgi is not set | 6275 | # CONFIG_PACKAGE_uwsgi is not set |
6331 | # CONFIG_PACKAGE_v2raya is not set | ||
6332 | # end of Web Servers/Proxies | 6276 | # end of Web Servers/Proxies |
6333 | 6277 | ||
6334 | # | 6278 | # |
@@ -6437,7 +6381,6 @@ CONFIG_PACKAGE_wpad-openssl=y | |||
6437 | # CONFIG_PACKAGE_coap-server is not set | 6381 | # CONFIG_PACKAGE_coap-server is not set |
6438 | # CONFIG_PACKAGE_conserver is not set | 6382 | # CONFIG_PACKAGE_conserver is not set |
6439 | # CONFIG_PACKAGE_crowdsec is not set | 6383 | # CONFIG_PACKAGE_crowdsec is not set |
6440 | # CONFIG_PACKAGE_crowdsec-firewall-bouncer is not set | ||
6441 | # CONFIG_PACKAGE_cshark is not set | 6384 | # CONFIG_PACKAGE_cshark is not set |
6442 | # CONFIG_PACKAGE_daemonlogger is not set | 6385 | # CONFIG_PACKAGE_daemonlogger is not set |
6443 | # CONFIG_PACKAGE_darkstat is not set | 6386 | # CONFIG_PACKAGE_darkstat is not set |
@@ -6450,7 +6393,6 @@ CONFIG_PACKAGE_wpad-openssl=y | |||
6450 | # CONFIG_PACKAGE_ds-lite is not set | 6393 | # CONFIG_PACKAGE_ds-lite is not set |
6451 | # CONFIG_PACKAGE_esniper is not set | 6394 | # CONFIG_PACKAGE_esniper is not set |
6452 | # CONFIG_PACKAGE_etherwake is not set | 6395 | # CONFIG_PACKAGE_etherwake is not set |
6453 | # CONFIG_PACKAGE_etherwake-nfqueue is not set | ||
6454 | # CONFIG_PACKAGE_ethtool is not set | 6396 | # CONFIG_PACKAGE_ethtool is not set |
6455 | # CONFIG_PACKAGE_ethtool-full is not set | 6397 | # CONFIG_PACKAGE_ethtool-full is not set |
6456 | # CONFIG_PACKAGE_fail2ban is not set | 6398 | # CONFIG_PACKAGE_fail2ban is not set |
@@ -6512,7 +6454,6 @@ CONFIG_PACKAGE_iw=y | |||
6512 | # CONFIG_PACKAGE_mac-telnet-discover is not set | 6454 | # CONFIG_PACKAGE_mac-telnet-discover is not set |
6513 | # CONFIG_PACKAGE_mac-telnet-ping is not set | 6455 | # CONFIG_PACKAGE_mac-telnet-ping is not set |
6514 | # CONFIG_PACKAGE_mac-telnet-server is not set | 6456 | # CONFIG_PACKAGE_mac-telnet-server is not set |
6515 | # CONFIG_PACKAGE_map is not set | ||
6516 | # CONFIG_PACKAGE_mbusd is not set | 6457 | # CONFIG_PACKAGE_mbusd is not set |
6517 | # CONFIG_PACKAGE_mdns-repeater is not set | 6458 | # CONFIG_PACKAGE_mdns-repeater is not set |
6518 | # CONFIG_PACKAGE_memcached is not set | 6459 | # CONFIG_PACKAGE_memcached is not set |
@@ -7075,7 +7016,6 @@ CONFIG_PACKAGE_sunwait=y | |||
7075 | # CONFIG_PACKAGE_dmesg is not set | 7016 | # CONFIG_PACKAGE_dmesg is not set |
7076 | # CONFIG_PACKAGE_docker is not set | 7017 | # CONFIG_PACKAGE_docker is not set |
7077 | # CONFIG_PACKAGE_docker-compose is not set | 7018 | # CONFIG_PACKAGE_docker-compose is not set |
7078 | # CONFIG_PACKAGE_dockerd is not set | ||
7079 | # CONFIG_PACKAGE_domoticz is not set | 7019 | # CONFIG_PACKAGE_domoticz is not set |
7080 | # CONFIG_PACKAGE_dropbearconvert is not set | 7020 | # CONFIG_PACKAGE_dropbearconvert is not set |
7081 | # CONFIG_PACKAGE_dtc is not set | 7021 | # CONFIG_PACKAGE_dtc is not set |
diff --git a/files/files/etc/config/firewall b/files/files/etc/config/firewall deleted file mode 100644 index f2675d4..0000000 --- a/files/files/etc/config/firewall +++ /dev/null | |||
@@ -1,73 +0,0 @@ | |||
1 | config defaults | ||
2 | option synflood_protect '1' | ||
3 | option input 'REJECT' | ||
4 | option output 'ACCEPT' | ||
5 | option forward 'REJECT' | ||
6 | |||
7 | config zone 'lan' | ||
8 | option name 'lan' | ||
9 | list network 'lan' | ||
10 | option input 'DROP' | ||
11 | option output 'DROP' | ||
12 | option forward 'DROP' | ||
13 | |||
14 | config zone 'mgmt' | ||
15 | option name 'mgmt' | ||
16 | list network 'mgmt' | ||
17 | |||
18 | config rule | ||
19 | option name 'Allow-Ping' | ||
20 | option src '*' | ||
21 | option proto 'icmp' | ||
22 | option icmp_type 'echo-request' | ||
23 | option family 'ipv4' | ||
24 | option target 'ACCEPT' | ||
25 | |||
26 | config rule | ||
27 | option name 'Allow-ICMPv6-Input' | ||
28 | option src '*' | ||
29 | option proto 'icmp' | ||
30 | list icmp_type 'echo-request' | ||
31 | list icmp_type 'echo-reply' | ||
32 | list icmp_type 'destination-unreachable' | ||
33 | list icmp_type 'packet-too-big' | ||
34 | list icmp_type 'time-exceeded' | ||
35 | list icmp_type 'bad-header' | ||
36 | list icmp_type 'unknown-header-type' | ||
37 | list icmp_type 'router-solicitation' | ||
38 | list icmp_type 'neighbour-solicitation' | ||
39 | list icmp_type 'router-advertisement' | ||
40 | list icmp_type 'neighbour-advertisement' | ||
41 | option limit '1000/sec' | ||
42 | option family 'ipv6' | ||
43 | option target 'ACCEPT' | ||
44 | |||
45 | config rule | ||
46 | option name 'Allow-ICMPv6-Forward' | ||
47 | option src '*' | ||
48 | option dest '*' | ||
49 | option proto 'icmp' | ||
50 | list icmp_type 'echo-request' | ||
51 | list icmp_type 'echo-reply' | ||
52 | list icmp_type 'destination-unreachable' | ||
53 | list icmp_type 'packet-too-big' | ||
54 | list icmp_type 'time-exceeded' | ||
55 | list icmp_type 'bad-header' | ||
56 | list icmp_type 'unknown-header-type' | ||
57 | option limit '1000/sec' | ||
58 | option family 'ipv6' | ||
59 | option target 'ACCEPT' | ||
60 | |||
61 | config rule | ||
62 | option name 'Allow-SSH' | ||
63 | option src 'mgmt' | ||
64 | option dest_port '22' | ||
65 | option proto 'tcp' | ||
66 | option target 'ACCEPT' | ||
67 | |||
68 | config rule | ||
69 | option name 'Allow-Prometheus' | ||
70 | option src 'mgmt' | ||
71 | option dest_port '9100' | ||
72 | option proto 'tcp' | ||
73 | option target 'ACCEPT' | ||
diff --git a/files/files/etc/hotplug.d/iface/20-nftables b/files/files/etc/hotplug.d/iface/20-nftables new file mode 100755 index 0000000..4fdcad8 --- /dev/null +++ b/files/files/etc/hotplug.d/iface/20-nftables | |||
@@ -0,0 +1,9 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | [ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0 | ||
4 | [ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0 | ||
5 | |||
6 | /etc/init.d/firewall enabled || exit 0 | ||
7 | |||
8 | logger -t firewall "Reloading firewall due to $ACTION of $INTERFACE ($DEVICE)" | ||
9 | /etc/init.d/firewall reload \ No newline at end of file | ||
diff --git a/files/files/etc/init.d/nftables b/files/files/etc/init.d/nftables new file mode 100755 index 0000000..40bc1b6 --- /dev/null +++ b/files/files/etc/init.d/nftables | |||
@@ -0,0 +1,28 @@ | |||
1 | #!/bin/sh /etc/rc.common | ||
2 | |||
3 | START=19 | ||
4 | USE_PROCD=1 | ||
5 | QUIET="" | ||
6 | |||
7 | service_triggers() { | ||
8 | procd_add_reload_trigger firewall | ||
9 | } | ||
10 | |||
11 | restart() { | ||
12 | reload_service | ||
13 | } | ||
14 | |||
15 | start_service() { | ||
16 | nft -f - <<EOF | ||
17 | flush ruleset | ||
18 | include "/etc/ruleset.nft" | ||
19 | EOF | ||
20 | } | ||
21 | |||
22 | stop_service() { | ||
23 | nft flush ruleset | ||
24 | } | ||
25 | |||
26 | reload_service() { | ||
27 | start_service | ||
28 | } \ No newline at end of file | ||
diff --git a/files/files/etc/ruleset.nft b/files/files/etc/ruleset.nft new file mode 100644 index 0000000..7767eb6 --- /dev/null +++ b/files/files/etc/ruleset.nft | |||
@@ -0,0 +1,115 @@ | |||
1 | define icmp_protos = { ipv6-icmp, icmp, igmp } | ||
2 | |||
3 | table inet filter { | ||
4 | counter icmp-ratelimit-fw {} | ||
5 | |||
6 | counter icmp-fw {} | ||
7 | |||
8 | counter invalid-fw {} | ||
9 | counter fw-lo {} | ||
10 | |||
11 | counter reject-ratelimit-fw {} | ||
12 | counter reject-fw {} | ||
13 | counter reject-tcp-fw {} | ||
14 | counter reject-icmp-fw {} | ||
15 | |||
16 | |||
17 | counter invalid-rx {} | ||
18 | counter rx-lo {} | ||
19 | counter invalid-local4-rx {} | ||
20 | counter invalid-local6-rx {} | ||
21 | |||
22 | counter icmp-ratelimit-rx {} | ||
23 | counter icmp-rx {} | ||
24 | |||
25 | counter ssh-rx {} | ||
26 | counter prometheus-rx {} | ||
27 | |||
28 | counter established-rx {} | ||
29 | |||
30 | counter reject-ratelimit-rx {} | ||
31 | counter reject-rx {} | ||
32 | counter reject-tcp-rx {} | ||
33 | counter reject-icmp-rx {} | ||
34 | |||
35 | |||
36 | counter tx-lo {} | ||
37 | |||
38 | counter icmp-ratelimit-tx {} | ||
39 | counter icmp-tx {} | ||
40 | |||
41 | counter ssh-tx {} | ||
42 | counter prometheus-tx {} | ||
43 | |||
44 | counter tx {} | ||
45 | |||
46 | |||
47 | chain forward { | ||
48 | type filter hook forward priority filter | ||
49 | policy drop | ||
50 | |||
51 | |||
52 | ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop | ||
53 | |||
54 | |||
55 | iifname lo counter name fw-lo accept | ||
56 | |||
57 | |||
58 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop | ||
59 | meta l4proto $icmp_protos counter name icmp-fw accept | ||
60 | |||
61 | |||
62 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | ||
63 | log level debug prefix "reject forward: " counter name reject-fw | ||
64 | meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset | ||
65 | ct state new counter name reject-icmp-fw reject | ||
66 | } | ||
67 | |||
68 | chain input { | ||
69 | type filter hook input priority filter | ||
70 | policy drop | ||
71 | |||
72 | |||
73 | ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop | ||
74 | |||
75 | |||
76 | iifname lo counter name rx-lo accept | ||
77 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | ||
78 | iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject | ||
79 | |||
80 | |||
81 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop | ||
82 | meta l4proto $icmp_protos counter name icmp-rx accept | ||
83 | |||
84 | |||
85 | iifname mgmt tcp dport 22 counter name ssh-rx accept | ||
86 | iifname mgmt tcp dport 9100 counter name prometheus-rx accept | ||
87 | |||
88 | |||
89 | ct state {established, related} counter name established-rx accept | ||
90 | |||
91 | |||
92 | limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop | ||
93 | log level debug prefix "reject input: " counter name reject-rx | ||
94 | meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset | ||
95 | ct state new counter name reject-icmp-rx reject | ||
96 | } | ||
97 | |||
98 | chain output { | ||
99 | type filter hook output priority filter | ||
100 | |||
101 | |||
102 | oifname lo counter name tx-lo accept | ||
103 | |||
104 | |||
105 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop | ||
106 | meta l4proto $icmp_protos counter name icmp-tx accept | ||
107 | |||
108 | |||
109 | tcp sport 22 counter name ssh-tx | ||
110 | tcp sport 9100 counter name prometheus-tx | ||
111 | |||
112 | |||
113 | counter name tx | ||
114 | } | ||
115 | } \ No newline at end of file | ||