From 5ba6cbd3d14e59be3cf6634fdf9d6c02b0c3e8b3 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Tue, 23 Apr 2024 02:08:57 -0400 Subject: [PATCH] nftables: simplify rules via untracked state --- nftables/nftables-attestation.conf | 4 +--- nftables/nftables-discuss.conf | 4 +--- nftables/nftables-mail.conf | 4 +--- nftables/nftables-matrix.conf | 4 +--- nftables/nftables-network.conf | 5 +---- nftables/nftables-ns1.conf | 5 +---- nftables/nftables-ns2.conf | 5 +---- nftables/nftables-social.conf | 4 +--- nftables/nftables-web.conf | 4 +--- 9 files changed, 9 insertions(+), 30 deletions(-) diff --git a/nftables/nftables-attestation.conf b/nftables/nftables-attestation.conf index dcddf51..58cc329 100644 --- a/nftables/nftables-attestation.conf +++ b/nftables/nftables-attestation.conf @@ -47,9 +47,7 @@ table inet filter { policy drop tcp dport { 22, 80, 443 } goto input-tcp-service - iif lo accept - meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : drop, established : accept, related : accept } + ct state vmap { established : accept, related : accept, new : drop, untracked: accept } } chain input-tcp-service { diff --git a/nftables/nftables-discuss.conf b/nftables/nftables-discuss.conf index 6e22714..90f8632 100644 --- a/nftables/nftables-discuss.conf +++ b/nftables/nftables-discuss.conf @@ -47,9 +47,7 @@ table inet filter { policy drop tcp dport { 22, 80, 443 } goto input-tcp-service - iif lo accept - meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : drop, established : accept, related : accept } + ct state vmap { established : accept, related : accept, new : drop, untracked: accept } } chain input-tcp-service { diff --git a/nftables/nftables-mail.conf b/nftables/nftables-mail.conf index 391ff95..e9d6819 100644 --- a/nftables/nftables-mail.conf +++ b/nftables/nftables-mail.conf @@ -59,9 +59,7 @@ table inet filter { policy drop tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service - iif lo accept - meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : drop, established : accept, related : accept } + ct state vmap { established : accept, related : accept, new : drop, untracked: accept } } chain input-tcp-service { diff --git a/nftables/nftables-matrix.conf b/nftables/nftables-matrix.conf index dbd9872..82a2a98 100644 --- a/nftables/nftables-matrix.conf +++ b/nftables/nftables-matrix.conf @@ -47,9 +47,7 @@ table inet filter { policy drop tcp dport { 22, 80, 443 } goto input-tcp-service - iif lo accept - meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : drop, established : accept, related : accept } + ct state vmap { established : accept, related : accept, new : drop, untracked: accept } } chain input-tcp-service { diff --git a/nftables/nftables-network.conf b/nftables/nftables-network.conf index e394404..7484cfd 100644 --- a/nftables/nftables-network.conf +++ b/nftables/nftables-network.conf @@ -56,10 +56,7 @@ table inet filter { policy drop tcp dport { 22, 80, 443, 7275 } goto input-tcp-service - iif lo accept - udp dport 123 accept - meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : drop, established : accept, related : accept } + ct state vmap { established : accept, related : accept, new : drop, untracked: accept } } chain input-tcp-service { diff --git a/nftables/nftables-ns1.conf b/nftables/nftables-ns1.conf index be32c62..35cad87 100644 --- a/nftables/nftables-ns1.conf +++ b/nftables/nftables-ns1.conf @@ -49,10 +49,7 @@ table inet filter { policy drop tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service - iif lo accept - udp dport 53 accept - meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : drop, established : accept, related : accept } + ct state vmap { established : accept, related : accept, new : drop, untracked: accept } } chain input-tcp-service { diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf index 10cb43f..e1fb0b2 100644 --- a/nftables/nftables-ns2.conf +++ b/nftables/nftables-ns2.conf @@ -61,10 +61,7 @@ table inet filter { policy drop tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service - iif lo accept - udp dport 53 accept - meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : drop, established : accept, related : accept } + ct state vmap { established : accept, related : accept, new : drop, untracked: accept } } chain input-tcp-service { diff --git a/nftables/nftables-social.conf b/nftables/nftables-social.conf index 21b90fe..8ce2b6a 100644 --- a/nftables/nftables-social.conf +++ b/nftables/nftables-social.conf @@ -47,9 +47,7 @@ table inet filter { policy drop tcp dport { 22, 80, 443 } goto input-tcp-service - iif lo accept - meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : drop, established : accept, related : accept } + ct state vmap { established : accept, related : accept, new : drop, untracked: accept } } chain input-tcp-service { diff --git a/nftables/nftables-web.conf b/nftables/nftables-web.conf index da9d5fe..e1dc5ed 100644 --- a/nftables/nftables-web.conf +++ b/nftables/nftables-web.conf @@ -57,9 +57,7 @@ table inet filter { policy drop tcp dport { 22, 80, 443 } goto input-tcp-service - iif lo accept - meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : drop, established : accept, related : accept } + ct state vmap { established : accept, related : accept, new : drop, untracked: accept } } chain input-tcp-service {