new to nft

To: debian-firewall@lists.debian.org
Subject: new to nft
From: Dennis Filder <d.filder@web.de>
Date: Wed, 13 Jan 2021 22:53:01 +0100
Message-id: <[🔎] 20210113215301.GA3622@reader>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 9e22c72d-334f-5cb9-1fb4-d654c7146189@mi.parisdescartes.fr>
References: <[🔎] 9e22c72d-334f-5cb9-1fb4-d654c7146189@mi.parisdescartes.fr>

On Wed, Jan 13, 2021 at 05:40:20PM +0100, François Patte wrote:

> Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?

That is the address range for link-local addresses assigned via
stateless address autoconfiguration.  Think of it as an IP address
derived from the unique MAC address that gets automatically assigned.
It's not routable, i.e. you can only communicate with computers on the
local network, so you'd usually assign other IPv6 addresses that are
routable.

> I expect too accept connections from the internet to port 22222

I would specify the incoming interface here, too, just for clarity.

> The last line "log" is (for me) supposed to log all dropped packets, am I
> right?

Yes.

> For this last line, logwatch reports "logged packets on interface".
> logwatch with iptables reports "drop packets on the interface"
>
> Are these packets dropped or only logged?

Both.  The log messages should show up in the output of "dmesg".  I
usually use rules like this:

  log prefix "filter_inet:c_f_in  " flags all

This tells my which chain caused that log entry and some more details.
You could also use:

  counter log prefix "filter_inet:c_f_in  " flags all

It should add a counter of how often that rule was matched.  You can
inspect it with "list ruleset" or by listing that rule by its handle.

Regards,
Dennis.

Reply to:

References:
- new to nft
  - From: François Patte <francois.patte@mi.parisdescartes.fr>

Prev by Date: Re: new to nft
Next by Date: Projet informatique
Previous by thread: Re: new to nft
Next by thread: Projet informatique
Index(es):
- Date
- Thread