diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:22 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:22 +0100 |
| commit | ac0654daf06a9d01fd264d96c00c8ab47b90cb73 (patch) | |
| tree | a52a85553116dbc671bf43a7414c34959ca0b8eb /README.md | |
| parent | b459f8eef44afaab44e38b8a5946974a4d107301 (diff) | |
| download | dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.tar.gz dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.tar.bz2 dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.zip | |
feat(net): nftables laptop firewall
Default-deny inbound, allow outbound. Scoped to 'inet filter' with
'destroy table' on reload so podman/netavark tables are preserved.
- meta/base.txt: add nftables
- systemd-units/system/base.txt: enable nftables.service
- etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6
essentials, DHCPv6 client, default-drop input/forward, accept output)
- etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route,
log_martians
- README.md: firewall section with reload caveat
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 8 |
1 files changed, 8 insertions, 0 deletions
@@ -121,6 +121,14 @@ Four sources of drift are tracked independently and combined by `just status`: - **/etc** (`just etc-status` / `just etc-diff`): repo-tracked files in `etc/` that differ from or are missing on the live `/etc`. Resolve with `just etc-apply` (repo → live), `just etc-re-add PATH` (live → repo), or `just etc-untrack PATH`. - **Units** (`just unit-status`): enabled units not in any `systemd-units/{system,user}/*.txt`, or declared units that aren't enabled (checked for both scopes). +## Firewall + +Stateful nftables firewall with a laptop profile: default-deny inbound, allow outbound, loopback + established + ICMP/ICMPv6 + DHCPv6 client only. Ruleset at `etc/nftables.conf`; enabled via `nftables.service` in `systemd-units/system/base.txt`. Kernel hardening (rp_filter, no redirects, no source-route, log_martians) lives in `etc/sysctl.d/99-sysctl.conf`. + +The ruleset is scoped to `table inet filter` and uses `destroy table inet filter` on reload, so podman/netavark's own tables are preserved. Don't `systemctl stop nftables` — the package ExecStop runs a global `nft flush ruleset` which would nuke podman rules. Reload with `sudo systemctl reload nftables` or `sudo nft -f /etc/nftables.conf` instead. + +Verify with `sudo nft list ruleset`. + ## Git hooks Activated by `just init` via `git config core.hooksPath .githooks`: |