Introduction I have blogged about my pf firewall configurations a few times, but never my Linux ones. There is nothing especially unusual about it, but it does differ somewhat from the common nftables examples. Configuration This is the configuration for my Gentoo laptop. It has two Wireguard interfaces and references two egress interfaces, one for Ethernet and one for WiFi: #!/sbin/nft -f flush ruleset define allowed_icmp_types = { echo-reply, echo-request }; define trusted_icmp_types = { destination-unreachable, time-exceeded }; define allowed_icmpv6_types = { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, echo-request, echo-reply }; define egress_ifs = { enp0s31f6, wlp0s20f3 }; table inet filter { set private4 { type ipv4_addr; flags constant, interval; elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }; } set private6 { type ipv6_addr; flags constant, interval; elements = { fd00::/8, fe80::/10 }; } chain forward_docker { # forward docker…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.