Re: nft newbie

[Roger Price <debian@rogerprice.org>]

On Wed, 6 Jul 2022, Will Mengarini wrote:
> * gene heskett <gheskett@shentel.net> [22-07/06=We 18:50 -0400]:
> > The man page while quite voluminus is as
> > usual mostly bereft of useful examples.
>
> <https://wiki.nftables.org/wiki-nftables/index.php/Main_Page#Examples>
> has various examples.

May I continue this thread by asking more newbie questions?

I looked at the workstation example, but it doesn't even allow access via ssh. 
On my Debian 11 box I found /usr/share/doc/nftables/examples/workstation.nft 
which does show how to allow incoming ssh, http and https traffic.

Newbie 1: Is it normal for nftables configuration files to be executable?  As a 
newcomer, I expected something more "traditional", ie a file containing only key 
words and data values.

Newbie 2: Command ls -l /etc/nftables.conf reports

   -rwxr-xr-x 1 root root 228 Jan 17  2021 /etc/nftables.conf*

This looks as if anyone can read and execute this file.  I tried as a simple 
user and got the error message

   /etc/nftables.conf:3:1-14: Error: Could not process rule: Operation not permitted
   flush ruleset
   ^^^^^^^^^^^^^^

Is execution not permitted for non-root/non-file owner ?

Newbie 3: The configuration file begins with the Bash shebang #!/usr/sbin/nft -f 
but the Debian 11 man page for nftables says

  -f, --file filename Read input from filename. If filename is -, read from stdin.

and doesn't mention omitting the filename.  I'm guessing that -f with no file 
name means "read from the remainder of this file".  Is this correct?

My apologies for asking such trivial stuff.
Roger

> <https://manpages.debian.org/testing/nftables/nft.8.en.html> is an
> HTML version of the man page, which is easier to navigate, at least.
>
> <https://wiki.nftables.org/wiki-nftables/index.php/Accepting_and_dropping_packets> 
> may also be helpful.