Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
veganism.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Veganism Social is a welcoming space on the internet for vegans to connect and engage with the broader decentralized social media community.

Administered by:

Server stats:

262
active users

veganism.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.0-alpha.5

#nftables

1 post1 participant0 posts today
Public *
r1w1s1
Comparing firewall syntax for SSH (port 22) with default-deny:
================================================

#iptables (Linux)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP

#nftables (Linux)
nft add rule inet my_filter input tcp dport 22 accept
nft add rule inet my_filter input drop

#ufw (Linux - simplified frontend to iptables)
ufw allow 22/tcp
ufw default deny incoming

#pf (OpenBSD)
pass in proto tcp to port 22
block all

pf’s syntax feels so elegant, human-readable, & minimal!

After 20years scripting iptables, I’m ready to try UFW on my laptop.
#firewall #sysadmin #pf #iptables #ufw #nftables
Public
Diego Cordoba 🇦🇷

Tarde de grabación! Comencé a grabar el nuevo curso de firewall con #nftables de JuncoTIC.com! :D

Pronto se vendrán actualizaciones en el curso de #iptables también... nuevos diagramas, ejemplos, y explicaciones, con mejor calidad de video y audio, como merecen mis alumnos :)

Public
Quixoticgeek

Slightly thrown by my new firewall rules working first time. No errors, and it didn't lock me out of the remote machine. I usually achieve one of these every time I try something new in #NFTables ...

Maybe I'm finally starting to properly understand.

Public *
Andy Smith

TIL that if you have an nftables rule like

iif "blah" counter accept

then that interface "blah" has to already exist or else it's a syntax error. But if you do

iifname "blah" counter accept

then it doesn't have to exist already and will be looked up every time.

Details here: serverfault.com/a/985167

Server FaultWhat is the difference between "iifname" and "iif" in nftables?https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Meta Is there any difference between iifname (outside the name is string) and iif and what is recommended?
#Linux#nftables
Public
scy

Wouldn't it be nice if you could say "run the following command without internet access"? Of course you can set up your #Linux to do that.

askubuntu.com/a/423105 lists some approaches. My favorite one works by asking sudo to change the group ID to a certain group, and then match on these packages in the firewall rules.

I'm using the modern #nftables way here.

(This is a somewhat advanced topic, which is why I'm not providing a copy-pasteable template, only inspiration.)

Terminal screenshot. I `define` the private, link-local, and localhost subnets, separately for IPv4 and IPv6, in my /etc/nftables.conf, create a union set named "non-internet" (again, one for v4 and v6), and then set up a filter in /etc/nftables.conf.d/50-no-internet-group.conf: table inet filter { chain output { skgid "no-internet" ip daddr != { $V4_SUBNET_NON_INTERNET } counter reject skgid "no-internet" ip6 daddr != { $V6_SUBNET_NON_INTERNET } counter reject } } In /etc/sudoers.d/no-internet, I add %sudo ALL=(:no-internet) NOPASSWD: ALL to allow all users in the "sudo" group to run any command under the no-internet group without authenticating. Finally, I demonstrate the effect by calling `ping -c 1 8.8.8.8` (works fine) and `sudo -g no-internet ping -c 1 8.8.8.8` (returns "ping: sendmsg: Operation not permitted").
Public
Yukari Hafner :v_lesbian:

Any #sysop cursed people here know what #nftables / #iptables incantations I need to allow a container to reach itself (or another container) through the public IP of the host?

I can reach the containers from outside fine, the port forwarding works, but when the packets come from within the routing breaks down and the packets drop.

Public
lanefu

Wanted to share a recent project of mine from past few weeks to turn my #nanopi r5s #sbc into a really potent pure debian Linux router that was sane to manage.

I was able to successfully switch over this weekend and retire my edgerouter-6p.

The formula is basically #ansible #systemd stuff #netplan #dnsmasq #frrouting and #foomuuri -- the lynchpin solution for sanely doing robust zone-to-zone firewalls using #nftables

Repo linked below has more details:

github.com/lanefu/clammy-ng

GitHubGitHub - lanefu/clammy-ng: The next generation ansible-managed linux router framework using all the trendy new thingsThe next generation ansible-managed linux router framework using all the trendy new things - GitHub - lanefu/clammy-ng: The next generation ansible-managed linux router framework using all the tren...
VegansExploreLive feeds
About