Le 07/07/2022 à 10:11, Roger Price a écrit :
I looked at the workstation example, but it doesn't even allow access
via ssh. On my Debian 11 box I found
/usr/share/doc/nftables/examples/workstation.nft which does show how to
allow incoming ssh, http and https traffic.
Newbie 1: Is it normal for nftables configuration files to be
executable? As a newcomer, I expected something more "traditional", ie
a file containing only key words and data values.
Yes it is. If you look at the first line you see it is a script to be
evaluated by /usr/sbin/nft
Newbie 2: Command ls -l /etc/nftables.conf reports
-rwxr-xr-x 1 root root 228 Jan 17 2021 /etc/nftables.conf*
This looks as if anyone can read and execute this file. I tried as a
simple user and got the error message
/etc/nftables.conf:3:1-14: Error: Could not process rule: Operation
not permitted
flush ruleset
^^^^^^^^^^^^^^
Is execution not permitted for non-root/non-file owner ?
nft configuration is indeed possible only for root.
Newbie 3: The configuration file begins with the Bash shebang
#!/usr/sbin/nft -f but the Debian 11 man page for nftables says
-f, --file filename Read input from filename. If filename is -, read
from stdin.
and doesn't mention omitting the filename. I'm guessing that -f with no
file name means "read from the remainder of this file". Is this correct?
It's very old for me (I began unix in 1990) but in my understanding
when a file begins wth a shebang the line after the shebang is completed
with the path to the file and the full line is then executed, thus
You'll end with a command line of /usr/sbin/nft -f /etc/nftables.conf