Timotej Lazar
cf6b682cf8
Create a self-signed CA, set up group configs, add script to allow new connections through the firewall. In the base debian role, drop the default nftables forward chain with drop policy because it clashes with this. If you enable forwarding on a debian host, make sure to configure the firewall.
29 lines
890 B
Plaintext
29 lines
890 B
Plaintext
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority filter; policy drop
|
|
|
|
ct state vmap { invalid : drop, established : accept, related : accept }
|
|
iif lo accept
|
|
|
|
ip protocol icmp icmp type {
|
|
echo-request, echo-reply, destination-unreachable,
|
|
parameter-problem, time-exceeded,
|
|
} accept comment "accept some ICMPv4"
|
|
|
|
ip6 nexthdr icmpv6 icmpv6 type {
|
|
echo-request, echo-reply, destination-unreachable,
|
|
packet-too-big, parameter-problem, time-exceeded,
|
|
} accept comment "accept some ICMPv6"
|
|
|
|
ip6 hoplimit 255 ip6 nexthdr icmpv6 icmpv6 type {
|
|
nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, nd-router-solicit
|
|
} accept comment "accept IPv6 neighbor discovery"
|
|
}
|
|
}
|
|
|
|
include "/etc/nftables.d/*.nft"
|