Re: nftables firewall question: matching udp in ipv6

To: debian-user@lists.debian.org
Subject: Re: nftables firewall question: matching udp in ipv6
From: Ralph Aichinger <ra@h5.or.at>
Date: Fri, 12 Jan 2024 18:48:51 +0100
Message-id: <[🔎] ZaF7g20KPWoQ7Rsa@pi.h5.or.at>
In-reply-to: <[🔎] e59bc1eb-3c46-4796-a7c6-07ae4857f79e@home.arpa>
References: <[🔎] dc4b5f9a70548e4b327953d2ef69c5e508cbaa51.camel@h5.or.at> <[🔎] e59bc1eb-3c46-4796-a7c6-07ae4857f79e@home.arpa>

On Fri, Jan 12, 2024 at 05:26:57PM +0000, Michael Kjörling wrote:
> My suggestion would be to insert a "udp log" rule. (Pretty sure you
> only need "udp", not "meta l4proto udp".)
  
Thanks,  I will try that. Yes "meta l4proto udp" might be cargo 
cult configuration ;)

> That will give you a firehose of information which will include ports,
> interfaces and other relevant information. You can then narrow it down
> until it logs the traffic you want to accept, at which point you can
> change the "log" action into an "accept" action.
> 
> Note that forwarding and filtering can interact in non-intuitive ways.
> You may need to add corresponding log rules to each relevant chain,
> maybe with a prefix to tell them apart.
  
Thanks a lot!

Ralph

Reply to:

References:
- nftables firewall question: matching udp in ipv6
  - From: Ralph Aichinger <ra@h5.or.at>
- Re: nftables firewall question: matching udp in ipv6
  - From: Michael Kjörling <2695bd53d63c@ewoof.net>

Prev by Date: Re: Temporary failure in name resolution
Next by Date: Re: Temporary failure in name resolution
Previous by thread: Re: nftables firewall question: matching udp in ipv6
Next by thread: Re: nftables firewall question: matching udp in ipv6
Index(es):
- Date
- Thread