nftables: use numeric port format

2024-09-27 19:15:43 +00:00 · 2022-06-30 06:58:20 -04:00 · 2022-06-30 06:58:20 -04:00 · 32074453eb
commit 32074453eb
parent 01f9274fc4
6 changed files with 21 additions and 21 deletions
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@ -7,7 +7,7 @@ table inet filter {
        type filter hook prerouting priority raw
        iif lo notrack
-        tcp dport {ssh, http, https} notrack
+        tcp dport {22, 80, 443} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -16,7 +16,7 @@ table inet filter {
        type filter hook output priority raw
        oif lo notrack
-        tcp sport {ssh, http, https} notrack
+        tcp sport {22, 80, 443} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -26,7 +26,7 @@ table inet filter {
        policy drop
        iif lo accept
-        tcp dport {ssh, http, https} accept
+        tcp dport {22, 80, 443} accept
        ip protocol icmp accept
        meta l4proto ipv6-icmp accept
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@ -7,7 +7,7 @@ table inet filter {
        type filter hook prerouting priority raw
        iif lo notrack
-        tcp dport {ssh, http, https} notrack
+        tcp dport {22, 80, 443} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -16,7 +16,7 @@ table inet filter {
        type filter hook output priority raw
        oif lo notrack
-        tcp sport {ssh, http, https} notrack
+        tcp sport {22, 80, 443} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -26,7 +26,7 @@ table inet filter {
        policy drop
        iif lo accept
-        tcp dport {ssh, http, https} accept
+        tcp dport {22, 80, 443} accept
        ip protocol icmp accept
        meta l4proto ipv6-icmp accept
--- a/nftables-dns.conf
+++ b/nftables-dns.conf
@ -7,8 +7,8 @@ table inet filter {
        type filter hook prerouting priority raw
        iif lo notrack
-        udp dport domain notrack
+        udp dport 53 notrack
-        tcp dport {ssh, domain} notrack
+        tcp dport {22, 53} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -17,8 +17,8 @@ table inet filter {
        type filter hook output priority raw
        oif lo notrack
-        udp sport domain notrack
+        udp sport 53 notrack
-        tcp sport {ssh, domain} notrack
+        tcp sport {22, 53} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -28,8 +28,8 @@ table inet filter {
        policy drop
        iif lo accept
-        udp dport domain accept
+        udp dport 53 accept
-        tcp dport {ssh, domain} accept
+        tcp dport {22, 53} accept
        ip protocol icmp accept
        meta l4proto ipv6-icmp accept
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@ -7,7 +7,7 @@ table inet filter {
        type filter hook prerouting priority raw
        iif lo notrack
-        tcp dport {ssh, smtp, http, submissions, imaps} notrack
+        tcp dport {22, 25, 80, 465, 993} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -16,7 +16,7 @@ table inet filter {
        type filter hook output priority raw
        oif lo notrack
-        tcp sport {ssh, smtp, http, submissions, imaps} notrack
+        tcp sport {22, 25, 80, 465, 993} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -26,7 +26,7 @@ table inet filter {
        policy drop
        iif lo accept
-        tcp dport {ssh, smtp, http, submissions, imaps} accept
+        tcp dport {22, 25, 80, 465, 993} accept
        ip protocol icmp accept
        meta l4proto ipv6-icmp accept
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@ -7,7 +7,7 @@ table inet filter {
        type filter hook prerouting priority raw
        iif lo notrack
-        tcp dport {ssh, http, https} notrack
+        tcp dport {22, 80, 443} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -16,7 +16,7 @@ table inet filter {
        type filter hook output priority raw
        oif lo notrack
-        tcp sport {ssh, http, https} notrack
+        tcp sport {22, 80, 443} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -26,7 +26,7 @@ table inet filter {
        policy drop
        iif lo accept
-        tcp dport {ssh, http, https} accept
+        tcp dport {22, 80, 443} accept
        ip protocol icmp accept
        meta l4proto ipv6-icmp accept
--- a/nftables-web.conf
+++ b/nftables-web.conf
@ -7,7 +7,7 @@ table inet filter {
        type filter hook prerouting priority raw
        iif lo notrack
-        tcp dport {ssh, http, https} notrack
+        tcp dport {22, 80, 443} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -16,7 +16,7 @@ table inet filter {
        type filter hook output priority raw
        oif lo notrack
-        tcp sport {ssh, http, https} notrack
+        tcp sport {22, 80, 443} notrack
        ip protocol icmp notrack
        meta l4proto ipv6-icmp notrack
    }
@ -26,7 +26,7 @@ table inet filter {
        policy drop
        iif lo accept
-        tcp dport {ssh, http, https} accept
+        tcp dport {22, 80, 443} accept
        ip protocol icmp accept
        meta l4proto ipv6-icmp accept