On 9/24/23 02:52, David C. Rankin wrote:
On 9/23/23 12:51, Christian wrote:
In addition to the workstation (single interface) nftables example, I
have just uploaded an example of nftables firewall rules. i.e. for a
router with 2 interfaces that sits between the internet and internal
network.
This supports services provided by firewall itself (DNS or ssh etc) as
well as forwarded services to servers on internal network (web server,
ssh, vpn etc).
It has blocks and whitelist - and includes both inet and netdev blocks.
I hand edited a fully working firewall for this example and hope it's
useful. After edits, before trying please confirm no typos etc by
running check:
nft -c nftables.conf
The nftables rules and sample files containing sets of CIDR blocks for
whitelist or blocks are included. Obviously these will need editing.
The set files are designed to be easily generated from a script - after
any changes to the sets, reload the rules to pick up the new set data.
It's available in my gh blog area in the nftables/firewall directory:
https://github.com/gene-git/blog/tree/master/nftables
Hope you find this helpful. And if you find typos or boo boos please let
me know!
thanks
gene
