Hi,

After years of using ipchains and later iptables as firewall I am now trying to 
use nft. :-)

I thought I understood it all and as far as I know I have a working config. But 
just trying to get a listing of the running config shows NOTHING.
linbookwormtest:~# nft list ruleset
linbookwormtest:~#

There is nothing in the journal about nft
linbookwormtest:~# journalctl -t nft
-- Journal begins at Mon 2023-03-27 13:07:50 CEST, ends at Mon 2023-04-24 
12:18:07 CEST. --
-- No entries --

And on an older server where I still have rsyslog installed there is also 
nothing in syslog. But that is no surprise when the journal database has 
nothing. ;-)

So nothing, not even a warning or an error. So how do I know if nft is running 
at all? I am guessing it does NOT run because.....
Even using just the default ruleset in /etc/nftables.conf shows nothing in the 
logs. It should at least show something right?

But even more telling... in my modified ruleset I have:

-----<Quote>---------------------
...
table inet firewall {

    chain inbound_ipv4 {
        # accepting ping (icmp-echo-request) for diagnostic purposes, within a 
certain rate limit:
        icmp type echo-request limit rate 5/second accept
    }
    chain inbound_ipv6 {
        # accept neighbour discovery otherwise connectivity breaks
        #
        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert 
} accept

        # accepting ping (icmpv6-echo-request) for diagnostic purposes,  within 
a certain rate limit:
        # icmpv6 type echo-request limit rate 5/second accept
    }

    chain inbound {
        # By default, drop all traffic unless it meets a filter criteria 
specified by the rules that follow below.
        type filter hook input priority 0; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }
        # Allow loopback traffic.
        iifname lo accept

        # Jump to chain according to layer 3 protocol using a verdict map
        meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }

        # Allow SSH on port TCP/22 for IPv4 and IPv6.
        tcp dport { 22 } accept
...
-----<Quote>---------------------

Now whether I have those SSH lines enabled or disable them makes no difference, 
I can still logon using ssh. :-(

How, how do I continue? It isn't even working on a clean install of Debian 
bookworm with the default config file.

Bonno Bloksma

Reply via email to