71 lines
1.7 KiB
YAML
71 lines
1.7 KiB
YAML
---
|
|
# nftables_ufw_package_name: ufw
|
|
# nftables_ufw_package_state: absent
|
|
|
|
# nftables_package_name: nftables
|
|
# nftables_package_state: present
|
|
|
|
# nftables_service_name: nftables
|
|
# nftables_service_state: started
|
|
# nftables_service_enabled: true
|
|
|
|
# nftables_config_path: /etc/nftables.conf
|
|
|
|
nftables_builtin_defines:
|
|
REQUIRED_ICMPV6_TYPES:
|
|
- 1-4
|
|
- 130-136
|
|
- 141-143
|
|
- 148-149
|
|
- 151-153
|
|
TRACEROUTE_UDP_PORTS: 33434-33534
|
|
|
|
nftables_builtin_sets:
|
|
blackhole4:
|
|
- type ipv4_addr
|
|
- flags interval
|
|
blackhole6:
|
|
- type ipv6_addr
|
|
- flags interval
|
|
tcp_input_accept:
|
|
- type inet_service
|
|
- flags interval
|
|
- elements = { ssh }
|
|
udp_input_accept:
|
|
- type inet_service
|
|
- flags interval
|
|
|
|
nftables_input_builtin_rules:
|
|
- type filter hook input priority filter; policy drop;
|
|
- ip saddr @blackhole4 drop
|
|
- ip6 saddr @blackhole6 drop
|
|
- ct state established,related accept
|
|
- ct state invalid drop
|
|
- iifname "lo" accept
|
|
- icmpv6 type $REQUIRED_ICMPV6_TYPES accept
|
|
- icmpv6 type echo-request accept
|
|
- icmp type echo-request accept
|
|
- tcp dport @tcp_input_accept accept
|
|
- udp dport @udp_input_accept accept
|
|
# this should be last because these ports could be allowed
|
|
- udp dport $TRACEROUTE_UDP_PORTS reject
|
|
|
|
nftables_forward_builtin_rules:
|
|
- type filter hook forward priority filter; policy drop;
|
|
- ct state { established, related } accept
|
|
|
|
nftables_output_builtin_rules:
|
|
- type filter hook output priority filter; policy accept;
|
|
- ip daddr @blackhole4 drop
|
|
- ip6 daddr @blackhole6 drop
|
|
- ct state { established, related } accept
|
|
|
|
# nftables_sets:
|
|
# {}
|
|
#
|
|
# nftables_input_rules:
|
|
# []
|
|
#
|
|
# nftables_output_rules:
|
|
# []
|