projects
/
config
/
nftables.git
/ blobdiff
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Add a Makefile to make it easier to deploy the configuration
[config/nftables.git]
/
nftables-workstation.nft
diff --git
a/nftables-workstation.nft
b/nftables-workstation.nft
index
ecfb200
..
c1ffd80
100644
(file)
--- a/
nftables-workstation.nft
+++ b/
nftables-workstation.nft
@@
-42,10
+42,6
@@
table inet filter {
type filter hook input priority 0
policy drop
type filter hook input priority 0
policy drop
- ct state established,related accept
- ct state invalid drop
- ct state new jump in-new
-
iif lo accept
ip protocol icmp icmp type {
iif lo accept
ip protocol icmp icmp type {
@@
-67,7
+63,7
@@
table inet filter {
packet-too-big
} accept
packet-too-big
} accept
- # Allow
auto configuration support
.
+ # Allow
IPv6 Neighbor Discovery (RFC4861)
.
ip6 nexthdr ipv6-icmp icmpv6 type {
nd-router-advert,
nd-router-solicit,
ip6 nexthdr ipv6-icmp icmpv6 type {
nd-router-advert,
nd-router-solicit,
@@
-92,6
+88,11
@@
table inet filter {
# Allow IGMPv3 queries.
ip protocol igmp ip daddr 224.0.0.1 accept
# Allow IGMPv3 queries.
ip protocol igmp ip daddr 224.0.0.1 accept
+ # Stateful filtering for anything else.
+ ct state established,related accept
+ ct state invalid drop
+ ct state new jump in-new
+
# Silently drop other incoming broadcast and multicast traffic.
meta pkttype {broadcast, multicast} drop
# Silently drop other incoming broadcast and multicast traffic.
meta pkttype {broadcast, multicast} drop
projects / config / nftables.git / blobdiff