Do you accept file attachments? On Sat, Sep 7, 2019 at 9:52 AM, Thomas <tad1073@xxxxxxxxx> wrote:
I need some help simplifying my nft ruleset, I put it inline and my email rejected, I attached it and it was rejected again.
#!/usr/bin/nft -f ###### Defines ###### define mynic = removed for security purposes define myvln = removed for security purposes define routerv4 = removed for security purposes define rllgav6 = removed for security purposes define rgga = removed for security purposes define delpre = removed for security purposes define lo4 = 127.0.0.1 define lo6 = ::1 define blov4 = 127.0.0.0/8 define blov6 = ::/8 define myIPv4 = removed for security purposes define myIPv6 = removed for security purposes define vlanv4 = removed for security purposes define vlan6 = removed for security purposes define my4net = removed for security purposes define my6net = removed for security purposes define block = { 104.16.0.0/12, 199.182.216.0/22, 23.64.0.0/14, 23.32.0.0/11, 138.198.0.0/15, 138.200.0.0/15, 81.22.45.0/24, 193.29.13.0/24, 178.132.200.0/22, 162.243.0.0/16, 37.189.0.0/17, 64.30.224.0/20 } define stupid_tv = removed for security purposes # define g4dns = {8.8.8.8, 8.8.4.4} define g6dns = {2001:4860:4860::8888, 2001:4860:4860::8844} define ssh = removed for security purposes define mysql = removed for security purposes define squid = removed for security purposes define wbmn = removed for security purposes define httpS = removed for security purposes define imapS = removed for security purposes define Tsmb = removed for security purposes # Samba over TCP{ (T)CPsmb) } define Usmb = removed for security purposes # Samba over UDP { (U)DPsmb) } ###### Defines ###### # include "/etc/nftable.d/defines.nft" # include "/etc/nftable.d/chainForward.nft" # include "/etc/nftable.d/chainOutput.nft" # nft flush ruleset table inet filter { chain input { type filter hook input priority 0; ip6 saddr $myIPv6 ct state established counter accept ip saddr $myIPv4 ct state established counter accept ip6 saddr $lo6 ct state established counter accept ip saddr $lo4 ct state established counter accept iif "lo" ct state established counter accept iif "lo" ip6 saddr $lo6 ct state established counter accept iif "lo" ip saddr $lo4 ct state established counter accept iif != "lo" ip6 saddr $blov6 counter drop iif != "lo" ip saddr $blov4 counter drop fib daddr type broadcast ct state invalid,new,untracked counter reject fib daddr type multicast ct state invalid,new,untracked counter reject fib daddr type anycast ct state invalid,new,untracked counter reject tcp flags & rst == rst ct state invalid,new,untracked counter drop icmp type echo-request ct state invalid,new,untracked counter reject icmp type address-mask-request ct state invalid,new,untracked counter reject icmp type timestamp-request ct state invalid,new counter reject ct state new tcp dport 113 tcp flags & (fin | syn | rst | ack) == syn counter drop ip6 saddr $my6net ip6 daddr $myIPv6 ct state established counter accept ip6 daddr $my6net ip6 saddr $myIPv6 ct state established counter accept ip saddr $my4net ip daddr $myIPv4 ct state established counter accept ip daddr $my4net ip saddr $myIPv4 ct state established counter accept ip6 saddr $my6net ct state established counter accept ip saddr $my4net ct state related,established counter accept ip6 saddr { $lo6, $myIPv6 } tcp dport $mysql ct state established counter accept ip6 saddr { $lo6, $myIPv6 } udp dport $mysql ct state established counter accept ip saddr { $lo4, $myIPv4 } tcp dport $mysql ct state established counter accept ip saddr { $lo4, $myIPv4 } udp dport $mysql ct state established counter accept tcp dport $mysql ct state new,invalid counter drop udp dport $mysql ct state new,invalid counter drop tcp dport $mysql counter drop udp dport $mysql counter drop ip6 saddr { $lo6, $myIPv6 } tcp dport 631 ct state established counter accept ip6 saddr { $lo6, $myIPv6 } udp dport 631 ct state established counter accept ip saddr { $lo4, $myIPv4 } tcp dport 631 ct state established counter accept ip saddr { $lo4, $myIPv4 } tcp dport 631 ct state established counter accept tcp dport 631 ct state new,invalid counter drop udp dport 631 ct state new,invalid counter drop tcp dport 631 counter drop udp dport 631 counter drop ip6 saddr $g6dns ip6 daddr $myIPv6 udp dport 5353 ct state established counter accept ip6 saddr $g6dns ip6 daddr $myIPv6 tcp dport 5353 ct state established counter accept tcp dport $imapS ip6 daddr != $g6dns drop udp dport $imapS ip6 daddr != $g6dns drop tcp dport 5353 ct state invalid,new,untracked counter drop udp dport 5353 ct state invalid,new,untracked counter drop tcp dport 5353 counter drop udp dport 5353 counter drop ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 udp dport 53 ct state established counter accept ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 tcp dport 53 ct state established counter accept tcp dport $imapS ip daddr != {8.8.8.8, 8.8.4.4} log prefix "SPAMALERT!" drop udp dport $imapS ip daddr != {8.8.8.8, 8.8.4.4} log prefix "SPAMALERT!" drop tcp dport 53 ct state invalid,new,untracked counter drop udp dport 53 ct state invalid,new,untracked counter drop tcp dport 53 counter drop udp dport 53 counter drop ip6 daddr $myIPv6 tcp dport $squid ct state established counter accept ip6 daddr $myIPv6 udp dport $squid ct state established counter accept ip daddr $myIPv4 tcp dport $squid ct state established counter accept ip daddr $myIPv4 udp dport $squid ct state established counter accept tcp dport $squid ct state invalid,new,untracked counter drop udp dport $squid ct state invalid,new,untracked counter drop tcp dport $squid counter drop udp dport $squid counter drop ip6 daddr $myIPv6 tcp dport $httpS ct state established counter accept ip6 daddr $myIPv6 udp dport $httpS ct state established counter accept ip daddr $myIPv4 tcp dport $httpS ct state established counter accept ip daddr $myIPv4 udp dport $httpS ct state established counter accept tcp dport $httpS ct state invalid,new,untracked counter drop udp dport $httpS ct state invalid,new,untracked counter drop tcp dport $httpS counter drop udp dport $httpS counter drop ip6 saddr $my6net tcp dport $Usmb ct state established counter accept ip6 saddr $my6net udp dport $Usmb ct state established counter accept ip saddr $my4net ip daddr $myIPv4 tcp dport $Tsmb ct state established counter accept ip saddr $my4net ip daddr $myIPv4 udp dport $Usmb ct state established counter accept tcp dport $Tsmb ct state invalid,new,untracked counter drop udp dport $Usmb ct state invalid,new,untracked counter drop tcp dport $Tsmb counter drop udp dport $Usmb counter drop ip6 saddr $my6net ip6 daddr $myIPv6 tcp dport $ssh ct state established counter accept ip6 saddr $my6net ip6 daddr $myIPv6 udp dport $ssh ct state established counter accept ip6 saddr $myIPv6 tcp dport $ssh ct state established counter accept ip6 saddr $myIPv6 udp dport $ssh ct state established counter accept ip saddr $my4net ip daddr $myIPv4 tcp dport $ssh ct state established counter accept ip saddr $my4net ip daddr $myIPv4 udp dport $ssh ct state established counter accept ip saddr $myIPv4 tcp dport $ssh ct state established counter accept ip saddr $myIPv4 udp dport $ssh ct state established counter accept tcp dport $ssh ct state invalid,new,untracked counter drop tcp dport $ssh ct state invalid,new,untracked counter drop tcp dport $ssh counter drop tcp dport $ssh counter drop ip6 daddr $lo6 tcp dport $wbmn ip6 saddr $lo6 ct state established counter accept ip6 daddr $lo6 udp dport $wbmn ip6 saddr $lo6 ct state established counter accept ip6 daddr $myIPv6 tcp dport $wbmn ip6 daddr $myIPv6 ct state established counter accept ip6 daddr $myIPv6 udp dport $wbmn ip6 daddr $myIPv6 ct state established counter accept ip daddr $lo4 tcp dport $wbmn ip saddr $lo4 ct state established counter accept ip daddr $lo4 udp dport $wbmn ip saddr $lo4 ct state established counter accept ip daddr $myIPv4 tcp dport $wbmn ip saddr $myIPv4 ct state established counter accept ip daddr $myIPv4 udp dport $wbmn ip saddr $myIPv4 ct state established counter accept tcp dport $wbmn ct state invalid,new,untracked counter drop udp dport $wbmn ct state invalid,new,untracked counter drop tcp dport $wbmn counter drop udp dport $wbmn counter drop ct state established counter accept ct state invalid,new,untracked counter drop counter drop } chain forward { type filter hook forward priority 0; ct state new tcp flags & (fin | syn | rst | ack) != syn counter drop ct state invalid,new,untracked counter drop } chain output { type filter hook output priority 0; ip6 saddr $myIPv6 ct state established counter accept ip saddr $myIPv4 ct state established counter accept ip6 saddr $myIPv6 counter accept ip saddr $myIPv4 counter accept oif "lo" ip6 saddr $lo6 ct state established counter accept oif "lo" ip6 saddr $lo6 counter accept oif "lo" ip saddr $lo4 ct state established counter accept oif "lo" ip saddr $lo4 counter accept oif "lo" counter ct state established counter accept oif "lo" counter accept ip6 saddr $lo6 ct state established counter accept ip6 saddr $lo6 counter accept ip saddr $lo4 ct state established counter accept ip saddr $lo4 counter accept ip6 saddr $g6dns ip6 daddr $myIPv6 udp dport 5353 ct state established counter accept ip6 saddr $g6dns ip6 daddr $myIPv6 tcp dport 5353 ct state established counter accept ip6 saddr $g6dns ip6 daddr $myIPv6 udp dport 5353 counter accept ip6 saddr $g6dns ip6 daddr $myIPv6 tcp dport 5353 counter accept ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 udp dport 53 ct state established counter accept ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 tcp dport 53 ct state established counter accept ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 udp dport 53 counter accept ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 tcp dport 53 counter accept ip6 daddr { $lo6, $myIPv6 } tcp sport $mysql ct state established counter accept ip6 daddr { $lo6, $myIPv6 } udp sport $mysql ct state established counter accept ip daddr { $myIPv4, $lo4 } tcp sport $mysql ct state established counter accept ip daddr { $myIPv4, $lo4 } udp sport $mysql ct state established counter accept tcp dport $mysql ct state invalid,new,related,untracked counter drop udp dport $mysql ct state invalid,new,related,untracked counter drop tcp dport $mysql counter drop udp dport $mysql counter drop tcp dport $squid ct state established counter accept udp dport $squid ct state established counter accept tcp dport $squid ct state invalid,untracked counter drop udp dport $squid ct state invalid,untracked counter drop tcp dport $squid counter drop udp dport $squid counter drop ip6 saddr $myIPv6 tcp dport $httpS ct state established counter accept ip6 saddr $myIPv6 udp dport $httpS ct state established counter accept tcp dport $httpS ct state established counter accept udp dport $httpS ct state established counter accept ip6 daddr $my6net udp dport $Usmb ct state established counter accept ip6 daddr $my6net tcp dport $Tsmb ct state established counter accept ip saddr $myIPv4 ip daddr $my4net tcp dport $Tsmb ct state established counter accept ip saddr $myIPv4 ip daddr $my4net udp dport $Usmb ct state established counter accept tcp dport $Tsmb ct state established counter accept udp dport $Usmb ct state established counter accept tcp dport $ssh ct state established counter accept udp dport $ssh ct state established counter accept ip6 saddr { $myIPv6, $lo6 } tcp dport $wbmn ct state established counter accept ip6 saddr { $myIPv6, $lo6 } udp dport $wbmn ct state established counter accept ip saddr { $myIPv4, $lo4 } tcp dport $wbmn ct state established counter accept ip saddr { $myIPv4, $lo4 } udp dport $wbmn ct state established counter accept tcp dport $wbmn ct state invalid,new,untracked counter drop tcp dport $wbmn ct state invalid,new,untracked counter drop tcp dport $wbmn counter drop tcp dport $wbmn counter drop ct state invalid,new,untracked counter drop counter drop } }