From 03cf422e8132cc08863083f27f377ffec910c192 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 16 Dec 2021 14:24:36 +0100 Subject: surtr: restrict incoming icmp --- hosts/surtr/ruleset.nft | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'hosts/surtr/ruleset.nft') diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index cb41f1cf..b57434a6 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft @@ -44,8 +44,10 @@ table inet filter { iifname lo counter accept - meta l4proto $icmp_protos limit name lim_icmp counter drop - meta l4proto $icmp_protos counter accept + meta l4proto $icmp_protos iifname yggdrasil limit name lim_icmp counter drop + meta l4proto $icmp_protos iifname yggdrasil counter accept + meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop + meta l4proto $icmp_protos ct state {established, related} counter accept limit name lim_reject log prefix "drop forward: " counter drop -- cgit v1.2.3