diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:22 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:22 +0100 |
| commit | ac0654daf06a9d01fd264d96c00c8ab47b90cb73 (patch) | |
| tree | a52a85553116dbc671bf43a7414c34959ca0b8eb /etc/sysctl.d/99-sysctl.conf | |
| parent | b459f8eef44afaab44e38b8a5946974a4d107301 (diff) | |
| download | dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.tar.gz dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.tar.bz2 dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.zip | |
feat(net): nftables laptop firewall
Default-deny inbound, allow outbound. Scoped to 'inet filter' with
'destroy table' on reload so podman/netavark tables are preserved.
- meta/base.txt: add nftables
- systemd-units/system/base.txt: enable nftables.service
- etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6
essentials, DHCPv6 client, default-drop input/forward, accept output)
- etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route,
log_martians
- README.md: firewall section with reload caveat
Diffstat (limited to 'etc/sysctl.d/99-sysctl.conf')
| -rw-r--r-- | etc/sysctl.d/99-sysctl.conf | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf index 6d21fda..3177c28 100644 --- a/etc/sysctl.d/99-sysctl.conf +++ b/etc/sysctl.d/99-sysctl.conf @@ -17,3 +17,16 @@ net.ipv4.tcp_mtu_probing = 1 net.core.default_qdisc = cake net.ipv4.tcp_congestion_control = bbr vm.vfs_cache_pressure = 50 + +# Network hardening +net.ipv4.conf.all.rp_filter = 2 +net.ipv4.conf.default.rp_filter = 2 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv6.conf.all.accept_source_route = 0 +net.ipv4.conf.all.log_martians = 1 |