doc: firewall: add nftables tips

2024-10-01 01:25:40 -04:00 · 2023-11-03 14:50:42 +01:00 · 2023-11-03 14:50:42 +01:00 · d6ad647518
commit d6ad647518
parent 5738e75e46
1 changed files with 21 additions and 0 deletions
--- a/user/security-in-qubes/firewall.md
+++ b/user/security-in-qubes/firewall.md
@ -430,3 +430,24 @@ tcpdump -i eth0 -nn dst port 22 and src net 192.168.x.y/24
 ```

 This can be used effectively in a destination qube and its Network VM to see if forwarding / NAT rules are working.
+
+Nftables tips
+-------------
+
+A simple way to experiment changes with your ruleset can be achieved by saving the current working ruleset in two files, one for backup and the other for making changes.
+
+By adding `flush ruleset` at the top of the file, you can achieve atomic update, which mean the new ruleset would replace the current one only if it fully succeed to load.
+
+You can dump the ruleset in two files using the following command:
+
+```
+nft list ruleset | tee nft_backup | tee nft_new_ruleset
+```
+
+Then, edit `nft_new_ruleset`, add `flush ruleset` on top and make changes, load it with `nft -f nft_new_ruleset`.
+
+You can revert to the original ruleset with the following commands:
+
+```
+nft flush ruleset && nft -f nft_backup
+```