strom/nft-simple-fw
strom/nft-simple-fw
Archived
1
0
Fork 0
Code Activity
This repository has been archived on 2024-03-30. You can view files and clone it, but cannot push or open issues or pull requests.
nft-simple-fw/conf.def

79 lines
2.2 KiB
Modula-2
Raw Permalink Blame History

# fw filter priority (filter = 0)
define HOOK_FILTER_PRIORITY = filter
# Interface groups
define IIFGROUP_ETHERNET = 1
define IIFGROUP_VPN = 2
# Unique-local addresses
define NET_V6_UNIQUE_LOCAL = fc00::/7
# Dummy values
# https://git.netfilter.org/nftables/commit/?id=9297f5b5301b76bb24513b114f905e6fac0a90cd
define dummy_v4 = 192.0.2.0/24
define dummy_v6 = 2001:db8::/32
# Packets marked with this id bypass filtering
define MARK_FASTPATH_ID = 0xabad1dea
# Default verdict chain
# Values: {reject, drop}-verdict
define DEFAULT_VERDICT = reject-verdict
# Interface agnostic allow-/blocklists, skips further filtering
# Default timeout: 1d
# Contains dummy values and ip scanning networks like censys
define SET_ALLOW_NETS_V4 = { $dummy_v4 timeout 1s }
define SET_BLOCK_NETS_V4 = { $dummy_v4 timeout 1s }
define SET_ALLOW_NETS_V6 = { $dummy_v6 timeout 1s }
define SET_BLOCK_NETS_V6 = { $dummy_v6 timeout 1s }
# The verdict chain for the blocklists
# Values: $DEFAULT_VERDICT, {reject,drop}-verdict
define LIST_BLOCK_MODE = drop-verdict
# Only allow listed icmpv4 types
define SET_ALLOW_ICMP_V4 = {
echo-reply,
destination-unreachable,
source-quench,
echo-request,
router-advertisement,
router-solicitation,
time-exceeded
}
# Types additional to the rfc4890 chain
# Contains dummy values
define SET_ALLOW_ICMP_V6 = {
echo-request,
echo-reply
}
# Log format, see log.nft for details
# Values: log-{drop,reject}, nflog-{drop,reject}
define CHAIN_LOG_DISPATCH_DROP = log-drop
define CHAIN_LOG_DISPATCH_REJECT = log-reject
# Packets from static netblocks, handled in the xlist-lookup chain
# Useful for blocking large unwanted network ranges (INPUT)
# and allowing native public IPv6 inter-container communication (FORWARD)
define SET_STATIC_ALLOW_V4 = { $dummy_v4 }
include "./scanner.def"
define SET_STATIC_DROP_V4 = { $dummy_v4, $SCANNER_V4 }
# specify your public container IPv6 subnets here
define SET_STATIC_ALLOW_V6 = { $dummy_v6 }
define SET_STATIC_DROP_V6 = { $dummy_v6 }
# Service definitions for easier access
# Can be referenced in service files
## syncthing
define DPORT_TCP_SYNCTHING = 22000
define DPORT_UDP_SYNCTHING = 21027
## wireguard
define DPORT_TCP_WIREGUARD = 51820
## magic-wormhole
define DPORT_TCP_WORMHOLE = 4000-4001
# vim: set ft=nft
View git blame Copy permalink