Archived

Not so simple nftables firewal based solely on nft

blackhole firewall linux netfilter nflog nft nftables ulogd2 vpn zones

This repository has been archived on 2024-03-30. You can view files and clone it, but cannot push or open issues or pull requests.

Find a file

Thorsten Schubert 8360589941 Count total dropped and rejected packets		2020-11-19 13:34:35 +01:00
nft-blackhole	Unsolicited broadcast/multicast handling	2020-11-15 17:17:44 +01:00
services.d	Count total dropped and rejected packets	2020-11-19 13:34:35 +01:00
systemd	Count total dropped and rejected packets	2020-11-19 13:34:35 +01:00
zones	Count total dropped and rejected packets	2020-11-19 13:34:35 +01:00
conf.def	Count total dropped and rejected packets	2020-11-19 13:34:35 +01:00
fw.nft	Count total dropped and rejected packets	2020-11-19 13:34:35 +01:00
LICENSE	Create README.md	2020-11-14 00:27:59 +01:00
README.md	Count total dropped and rejected packets	2020-11-19 13:34:35 +01:00

README.md

nft-simple-fw

nftables framework ruleset comparting traffic into different zones.
Supports private subnets and vpn interfaces and provides a custom template for nft-blackhole, s

Uses performant interface group matching for distinguishing interfaces.

default zone policies

filter type

public, private, forward: reject
vpn, output: accept

Usage

Customize conf.def and the filter zones in zones to your liking if you don't agree with the sane defaults.
Assign interface groups via systemd-networkd (see conf.def), create/edit services.d/{forward,private,public,vpn}/*.nft files for the services you wish to use and load via `nft -f fw.nft, or use the supplied systemd service file systemd/nft-fw.service.
If you are using nft-blackhole, symlink nft-blackhole/template.nft to /usr/share/nft-blackhole/nft-blackhole.template.