Le 07/07/2022 à 10:11, Roger Price a écrit :
I looked at the workstation example, but it doesn't even allow access via ssh. On my Debian 11 box I found /usr/share/doc/nftables/examples/workstation.nft which does show how to allow incoming ssh, http and https traffic.Newbie 1: Is it normal for nftables configuration files to be executable? As a newcomer, I expected something more "traditional", ie a file containing only key words and data values.
Yes it is. If you look at the first line you see it is a script to be evaluated by /usr/sbin/nft
Newbie 2: Command ls -l /etc/nftables.conf reports -rwxr-xr-x 1 root root 228 Jan 17 2021 /etc/nftables.conf*This looks as if anyone can read and execute this file. I tried as a simple user and got the error message/etc/nftables.conf:3:1-14: Error: Could not process rule: Operation not permittedflush ruleset ^^^^^^^^^^^^^^ Is execution not permitted for non-root/non-file owner ?
nft configuration is indeed possible only for root.
Newbie 3: The configuration file begins with the Bash shebang #!/usr/sbin/nft -f but the Debian 11 man page for nftables says-f, --file filename Read input from filename. If filename is -, read from stdin.and doesn't mention omitting the filename. I'm guessing that -f with no file name means "read from the remainder of this file". Is this correct?
It's very old for me (I began unix in 1990) but in my understanding when a file begins wth a shebang the line after the shebang is completed with the path to the file and the full line is then executed, thus You'll end with a command line of /usr/sbin/nft -f /etc/nftables.conf