diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:36 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:36 +0100 |
| commit | fd06e5313c257648b10a56b9c4151d701fba7d43 (patch) | |
| tree | 53490bd5a7277b914ddef715dd3991c5b927b221 /etc/nftables.conf | |
| parent | 767a54e48163ea0db701c926e6bf69f2237fce33 (diff) | |
| download | dotfiles-fd06e5313c257648b10a56b9c4151d701fba7d43.tar.gz dotfiles-fd06e5313c257648b10a56b9c4151d701fba7d43.tar.bz2 dotfiles-fd06e5313c257648b10a56b9c4151d701fba7d43.zip | |
refactor(nftables): minimize diff against upstream pristine
The previous custom config rewrote the file to 4-space indentation,
added an explicit accept-policy output chain, and expanded the icmp
section into per-type whitelists. None of that changed observable
behaviour vs the stock arch nftables.conf:
* Stock already uses scoped `destroy table inet filter` (so podman
and netavark tables survive a reload).
* `meta l4proto { icmp, icmpv6 } accept` already covers NDP, MLD,
PMTUD, and echo — the explicit per-type list was equivalent.
* Without an output chain, outbound traffic is unfiltered, which is
identical to `policy accept` on an explicit output chain.
* DHCPv6 client (UDP/546) is only needed on networks that hand out
DHCPv6 leases; my home/work LANs use SLAAC + RDNSS, and the rare
DHCPv6 case can be added back in one line if it ever bites.
The only laptop-specific deviation is dropping the
`tcp dport ssh accept` line — no inbound SSH on a portable machine.
Net diff against pristine is now a single deletion, which makes
`just etc-upstream-diff` actually useful for spotting upstream
ruleset improvements on package updates.
Diffstat (limited to 'etc/nftables.conf')
| -rw-r--r-- | etc/nftables.conf | 62 |
1 files changed, 18 insertions, 44 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index c7eada2..610aa7e 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -1,50 +1,24 @@ #!/usr/bin/nft -f -# Laptop firewall: default-deny inbound, allow outbound. -# Scoped to `inet filter` so podman/netavark tables are preserved on reload. +# vim:set ts=2 sw=2 et: -destroy table inet filter +# IPv4/IPv6 Simple & Safe firewall ruleset. +# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. +destroy table inet filter table inet filter { - chain input { - type filter hook input priority filter; policy drop; - - iif "lo" accept - ct state vmap { established : accept, related : accept, invalid : drop } - - # IPv4 ICMP essentials - ip protocol icmp icmp type { - echo-request, - destination-unreachable, - time-exceeded, - parameter-problem - } accept - - # IPv6 ICMP: NDP, PMTUD, echo, MLD - meta l4proto icmpv6 icmpv6 type { - destination-unreachable, - packet-too-big, - time-exceeded, - parameter-problem, - echo-request, - nd-router-solicit, - nd-router-advert, - nd-neighbor-solicit, - nd-neighbor-advert, - mld-listener-query, - mld-listener-report, - mld-listener-done, - mld2-listener-report - } accept - - # DHCPv6 client - ip6 saddr fe80::/10 udp dport 546 accept - } - - chain forward { - type filter hook forward priority filter; policy drop; - } + chain input { + type filter hook input priority filter + policy drop - chain output { - type filter hook output priority filter; policy accept; - } + ct state invalid drop comment "early drop of invalid connections" + ct state {established, related} accept comment "allow tracked connections" + iif lo accept comment "allow from loopback" + meta l4proto { icmp, icmpv6 } accept comment "allow icmp" + pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited + counter + } + chain forward { + type filter hook forward priority filter + policy drop + } } |