Not so simple nftables firewal based solely on nft
| .github/workflows | ||
| nft-blackhole | ||
| services.d | ||
| systemd | ||
| zones | ||
| .gitignore | ||
| conf.def | ||
| fw.nft | ||
| LICENSE | ||
| log.nft | ||
| README.md | ||
nft-simple-fw
nftables framework ruleset comparting traffic into different zones.
Supports private subnets and vpn interfaces and provides a custom template for nft-blackhole.
Uses performant interface group matching for distinguishing interfaces.
default zone policies
filter zones
- public, private, forward: reject
- default: reject
- vpn, output: accept
Usage
- Customize conf.def and the filter zones in zones to your liking if you don't agree with the sane defaults.
- Assign interface groups via systemd-networkd (see conf.def), create/edit
services.d/{forward,private,public,vpn}/*.nftfiles for the services you wish to use and load vianft -f fw.nft, or use the supplied systemd service file systemd/nft-fw.service, which expects the files to reside in/etc/nftables. - If you are using nft-blackhole, symlink nft-blackhole/template.nft to
/usr/share/nft-blackhole/nft-blackhole.template.