Re: nft newbie

To: debian-user Mailing List <debian-user@lists.debian.org>
Subject: Re: nft newbie
From: Maximiliano Estudies <maxiestudies@gmail.com>
Date: Tue, 12 Jul 2022 11:19:41 +0200
Message-id: <[🔎] CAF358wRErEpOFNU5V6qim3RT8RNCG-aSgXOm287Yp9Qjb+4Leg@mail.gmail.com>
In-reply-to: <[🔎] a43601d6-03af-4298-ac3e-2664fbf2051a@www.fastmail.com>
References: <[🔎] d47bc2b6-cc49-6d08-d422-3495f3a59028@shentel.net> <[🔎] YsYmBc2GwEcsWr5X@eskimo.com> <[🔎] CAFMGiz-YLj4=RoAg62j98J9Wdzc0eRVbVEj5OECY4w1iKHoZBQ@mail.gmail.com> <[🔎] 2ad1777d-17c7-f114-a976-a2bec857c29c@shentel.net> <[🔎] 3d2d2857-875c-4636-b102-a94f4c1a4121@www.fastmail.com> <[🔎] 83c9d108-51c8-4e17-a565-61ad041b9651@www.fastmail.com> <[🔎] alpine.DEB.2.20.2207091100050.16633@maria.rogerprice.org> <[🔎] bec39705-8557-4b35-9ee2-08da5d22fef1@www.fastmail.com> <[🔎] a43601d6-03af-4298-ac3e-2664fbf2051a@www.fastmail.com>

drop and reject are not equivalent.
with _reject with icmpx_ you get an icmp response when trying to
access a system and get blocked by the firewall.
with _policy drop_ packets that are not allowed just get silently
dropped and don't give any feedback to the source.

In most cases it's a best practice to configure all chains with
_policy drop_ and then add rules for the traffic that you want to
allow (there are some exceptions but for normal workstations I would
always start with policy drop). For machines that are not exposed to
the internet I also like to configure a reject at the bottom of all
chains, it helps a lot when debugging networking problems to know if
you are getting blocked by the firewall

El mar, 12 jul 2022 a las 1:27, Gareth Evans (<donotspam@fastmail.fm>) escribió:
>
> On Sun 10 Jul 2022, at 06:25, Gareth Evans <donotspam@fastmail.fm> wrote:
>
> > Thanks Roger, that also suggests "policy drop" in its nftables examples.
>
> As someone on firewalld-users kindly pointed out, there is
>
> > table inet firewalld {
> >     chain filter_INPUT {
> [...]
> >         reject with icmpx admin-prohibited   <--- catch-all reject
> >     }
>
> which seems equivalent to ufw's qualified "policy drop".
>
> Panic over.
> G
>

-- 
Maximiliano Estudies
VDT Referat Beschallung
+49 176 36784771
omslo.com
maxiestudies.com

Reply to:

Follow-Ups:
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>

References:
- nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: Will Mengarini <seldon@eskimo.com>
- Re: nft newbie
  - From: Tom Browder <tom.browder@gmail.com>
- Re: nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Roger Price <debian@rogerprice.org>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>

Prev by Date: Re: multiple network interfaces...and a ghost
Next by Date: Re: nft newbie
Previous by thread: Re: nft newbie
Next by thread: Re: nft newbie
Index(es):
- Date
- Thread