strom/nft-simple-fw
strom/nft-simple-fw
Archived
1
0
Fork 0
Code Activity
Not so simple nftables firewal based solely on nft
This repository has been archived on 2024-03-30. You can view files and clone it, but cannot push or open issues or pull requests.
34 commits 1 branch 9 tags 103 KiB
desktop 100%
Find a file
Thorsten Schubert e3e1cc04d6
Add example configuration
2022-04-22 21:09:53 +02:00
.github/workflows Forward outgoing container/local packets 2020-11-24 17:47:13 +01:00
global Add example configuration 2022-04-22 21:09:53 +02:00
nft-blackhole Go into more detail regarding zone traversal 2020-12-03 01:02:31 +01:00
services Add example configuration 2022-04-22 21:09:53 +02:00
systemd Count total dropped and rejected packets 2020-11-19 21:41:52 +01:00
ulogd2 Go into more detail regarding zone traversal 2020-12-03 01:02:31 +01:00
zones Add example configuration 2022-04-22 21:09:53 +02:00
.gitignore Add allow-/blocklist fast-track 2020-11-27 21:40:58 +01:00
conf.def Fix wireguard port constant 2021-05-10 18:46:04 +02:00
fw.nft Add example configuration 2022-04-22 21:09:53 +02:00
LICENSE Create README.md 2020-11-14 00:27:59 +01:00
log.nft Go into more detail regarding zone traversal 2020-12-03 01:02:31 +01:00
README.md Correct README.md typo 2022-04-18 15:11:49 +02:00
scanner.def Fix wireguard port constant 2021-05-10 18:46:04 +02:00

README.md

nft-simple-fw

nftables framework ruleset comparting traffic into different zones.
Supports private subnets and vpn interfaces and provides a custom template for nft-blackhole.

Uses performant interface group matching for distinguishing interfaces.

zone policies

Packets traverse different zones depending on distinct criteria, mainly the interface group and/or destination address:

  • public: Packets coming from public ip ranges, passing through the main interface(s) (group 1 by default).
  • private: Packets coming from local networks, passing through the main interface(s) (group 1 by default).
  • forward: Packets destined for other machines or subnets not directly configured on the host but expected to be forwarded.
  • vpn: Packets passing through VPN interface(s) (group 2 by default).
  • output: Packets originating from the host itself.
  • default: Packets not matching any of the above interface groupings (group is unset).

Without any configuration, all zones but output and vpn are configured to reject packets by default if not matching some pre-defined criteria. Please see the zone's source comments for details.

caveats

Packets to ungrouped interfaces traverse the default zone and are only subject to mild filtering when originating from inside the local network. Assign an interface group or customize the zone to change this behaviour. Packets to grouped interfaces, excluding IIFGROUP_{ETHERNET,VPN} (see conf.def), are rejected by default.

Usage

  • Customize conf.def and the filter zones in zones to your liking if you don't agree with the sane defaults.
  • Assign interface groups via systemd-networkd (see conf.def), create/edit services/{default,forward,private,public,vpn,output}.zone.d/*.nft files for the services you wish to use.
  • Load via nft -f fw.nft, or use the supplied systemd service file systemd/nft-fw.service, which expects the files to reside in /etc/nftables.
  • If you are using nft-blackhole, symlink nft-blackhole/template.nft to /usr/share/nft-blackhole/nft-blackhole.template.
  • If you want to keep your kernel log clean, an example configuration for ulogd2 is provided with ulogd2.conf. Only CHAIN_LOG_DISPATCH_{DROP,REJECT} inside conf.def need to be set accordingly to utilize the NFLOG target.