linux:netzwerk:firewall
This is an old revision of the document!
Firewall mit nft
Firewall Regel welche nur bestimmte MAC-Adressen zulässt:
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
ct state { established, related } accept
ct state invalid drop
iifname "lo" accept
ip protocol icmp drop
icmpv6 type echo-request drop
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
tcp dport 22 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
}
table arp filter {
chain INPUT {
type filter hook input priority filter; policy drop;
arp operation request ether saddr 12:34:56:78:9a:bc accept
arp operation request ether saddr bc:9a:78:56:34:12 accept
arp operation reply accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
nft list ruleset nft flush ruleset nft --check -f <ruleset-file> nft -f <ruleset-file> nft list rules nft list tables systemctl status nftables.service
linux/netzwerk/firewall.1681998088.txt.gz · Last modified: 2023/04/20 15:41 by ms