1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.FIREWA

  • new to nft

    From =?UTF-8?Q?Fran=c3=a7ois_Patte?=@21:1/5 to All on Wed Jan 13 17:50:01 2021
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --UevvUGqidaNbCCXZfVHdukMp7JKAjOAwz
    Content-Type: multipart/mixed;
    boundary="------------AC40019453B25BB483A3C374"
    Content-Language: fr-FR

    This is a multi-part message in MIME format. --------------AC40019453B25BB483A3C374
    Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable

    Bonjour,

    I begin to use nftables and wrote thes rules:
    chain input { # handle 1
    type filter hook input priority 0; policy drop;
    ct state established,related accept # handle 4
    ip saddr 192.168.1.0/24 accept # handle 5
    ip6 saddr fe80::/10 accept # handle 6
    ct state invalid drop # handle 7
    iifname "lo" accept # handle 8
    tcp dport 22222 accept # handle 9
    log # handle 10
    }

    I expect to block all traffic from anywhere except on the local network (192.168.1.0/24)

    Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?

    I expect too accept connections from the internet to port 22222

    The last line "log" is (for me) supposed to log all dropped packets, am
    I right?

    For this last line, logwatch reports "logged packets on interface".
    logwatch with iptables reports "drop packets on the interface"

    Are these packets dropped or only logged?

    Thank you for your explanations.

    Regards.

    --
    François Patte
    UFR de mathématiques et informatique
    Laboratoire CNRS MAP5, UMR 8145
    Université Paris Descartes
    45, rue des Saints Pères
    F-75270 Paris Cedex 06
    Tél. +33 (0)6 7892 5822
    http://www.math-info.univ-paris5.fr/~patte
    FSF https://www.fsf.org/blogs/community/presenting-shoetool-happy-holidays-from-the-fsf

    --------------AC40019453B25BB483A3C374
    Content-Type: application/pgp-keys;
    name="OpenPGP_0x744E82D9D855D895.asc"
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: attachment;
    filename="OpenPGP_0x744E82D9D855D895.asc"

    -----BEGIN PGP PUBLIC KEY BLOCK-----

    xsDiBEI1fdMRBACpPxrD/B2pHUPHchL+8QAOFZX35wLqvE5mUxUxLU6E0FvwXJ+A9R4FfpHelXiC aeO27hW4g3owes6eWEtZS1f6tXCoUWvLttLCodQcC/JQtnW72YujgvygjQKMKBWNRk+9YNGZ0an+ +BOarOSZDt+7xqvJXgSmJiwvUkO1T4362wCg2ER+jQO1M56UdFmhHaS/77jMEfUD/i26BuZu+RLl Q5bpiZIUOBsvegcXxL6sXi/uQy18bfhiKh4+5DDhfoQ+qOvmCSt227U+c8Qk+3KD2lDMrOqXfcX2 F+FVx1OOGr5tfIfgS1VXh4ED8Q2QxgwZIEqWmHpHTLOJq1Ant3HYhV7/52zOjB/uTXtg/tnhpB19 H/o1EhxoBACpOLfM
  • From Pascal Hambourg@21:1/5 to All on Wed Jan 13 20:20:02 2021
    Le 13/01/2021 à 17:40, François Patte a écrit :

    I begin to use nftables and wrote thes rules:
        chain input { # handle 1
            type filter hook input priority 0; policy drop;
            ct state established,related accept # handle 4
            ip saddr 192.168.1.0/24 accept # handle 5
            ip6 saddr fe80::/10 accept # handle 6
            ct state invalid drop # handle 7
            iifname "lo" accept # handle 8
            tcp dport 22222 accept # handle 9
            log # handle 10
        }

    I expect to block all traffic from anywhere except on the local network (192.168.1.0/24)

    "on the local network" does not make any sense, and, this ruleset fails
    to drop all traffic from anywhere but 192.168.1.0/24 :

    ct state established,related accept # handle 4

    accepts traffic from any address, and

    iifname "lo" accept # handle 8

    accepts traffic from 127.0.0.0/8 and any local (host) address.

    Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?

    No. 192.168.1.0/24 is a private prefix. Addresses can be configured by
    any conventional method (static, DHCP...). They are routable.

    fe80::/10 is the link local prefix. Addresses are automatically assigned
    by the kernel itself. They are not routable.

    The last line "log" is (for me) supposed to log all dropped packets, am
    I right?

    No. It does not log packets already dropped by

    ct state invalid drop # handle 7

    For this last line, logwatch reports "logged packets on interface".
    logwatch with iptables reports "drop packets on the interface"

    I wonder how logwatch knows the logged packets are dropped.

    Are these packets dropped or only logged?

    What do you trust more ? The chain default policy "drop" or logwatch ?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dennis Filder@21:1/5 to All on Wed Jan 13 23:00:02 2021
    On Wed, Jan 13, 2021 at 05:40:20PM +0100, Fran�ois Patte wrote:

    Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?

    That is the address range for link-local addresses assigned via
    stateless address autoconfiguration. Think of it as an IP address
    derived from the unique MAC address that gets automatically assigned.
    It's not routable, i.e. you can only communicate with computers on the
    local network, so you'd usually assign other IPv6 addresses that are
    routable.

    I expect too accept connections from the internet to port 22222

    I would specify the incoming interface here, too, just for clarity.

    The last line "log" is (for me) supposed to log all dropped packets, am I right?

    Yes.

    For this last line, logwatch reports "logged packets on interface".
    logwatch with iptables reports "drop packets on the interface"

    Are these packets dropped or only logged?

    Both. The log messages should show up in the output of "dmesg". I
    usually use rules like this:

    log prefix "filter_inet:c_f_in " flags all

    This tells my which chain caused that log entry and some more details.
    You could also use:

    counter log prefix "filter_inet:c_f_in " flags all

    It should add a counter of how often that rule was matched. You can
    inspect it with "list ruleset" or by listing that rule by its handle.

    Regards,
    Dennis.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)