Hi,
I have my simple nftables firewall working (thanks to people who have
posted).
However I have one issue, my nftables is not recognising the label
'dns' for port 53, although it is recognising labels for other ports
that I have been using (e.g. ssh, http, ntp, https).
When I checked on the Internet, I find that other people are using the
label 'dns'. I wonder if I am the only one having this issue?
It is not much of an issue, anyway, as it is just as easy to use
numerical port numbers.
Other checks on the Internet show that some people have previously
reported issues with other labels, like ssh, where as I am not.
George.
=============================
On Debian Bookworm headless server (built this morning)
Set rules to use lables (e.g. dns) and not numerical values
# nano /etc/nftables.conf
...
oifname "enp1s0" ct state new udp dport
dns accept
oifname "enp1s0" ct state new tcp dport
{ ssh, dns, http, ntp, https } accept
...
# systemctl restart nftables.service
Job for nftables.service failed because the control process exited
with error code.
See "systemctl status nftables.service" and "journalctl -xeu
nftables.service" for details.
# journalctl -xeu nftables.service
...
The process' exit code is 'exited' and its exit status is 1.
Aug 06 13:54:51 debmcfwt nft[1519]: /etc/nftables.conf:24:50-52:
Error: Could not resolve service: Servname not supported for
ai_socktype
Aug 06 13:54:51 debmcfwt nft[1519]:
oifname "enp1s0" ct state new tcp dport { ssh, dns, http, ntp, https }
accept
Aug 06 13:54:51 debmcfwt
nft[1519]:
^^^
Aug 06 13:54:51 debmcfwt systemd[1]: nftables.service: Failed with
result 'exit-code'.
...
Set rules to use 53 and not dns
# nano /etc/nftables.conf
...
oifname "enp1s0" ct state new udp dport
53 accept
oifname "enp1s0" ct state new tcp dport
{ ssh, 53, http, ntp, https } accept
...
Restarting nftables no longer causes an error report.
# systemctl restart nftables.service
#
A few web pages of different but similar or not so similar issues:
https://linux-audit.com/nftables-beginners-guide-to-traffic-filtering/
ip daddr 127.0.0.1 tcp dport {http, postgresql, ipp} accept
udp dport dns accept
tcp dport {dns, http, ntp, https, 9418} accept
Aug 06 13:46:05 debmcfwt nft[1505]: /etc/nftables.conf:24:45-47:
Error: Could not resolve service: Servname not supported for
ai_socktype
Aug 06 13:46:05 debmcfwt nft[1505]:
oifname "enp1s0" ct state new tcp dport { dns, ssh, http, ntp, https }
accept
Aug 06 13:46:05 debmcfwt
nft[1505]:
^^^
Aug 06 13:46:05 debmcfwt systemd[1]: nftables.service: Main process
exited, code=exited, status=1/FAILURE
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1821654.html
root@main:~# nft -c 'table filter {chain INPUT {tcp dport
ssh;};}'
Error: Could not resolve service: Servname not supported for
ai_socktype
table filter {chain INPUT {tcp dport ssh;};}
^^^
https://git.netfilter.org/nftables/commit/?id=818f7dded9c9e8a89a2de98801425536180ae307
evaluate: reset ctx->set after set interval evaluation
Otherwise bogus error reports on set datatype mismatch might occur,
such as:
Error: datatype mismatch, expected Internet protocol, expression has
type IPv4 address
meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
~~~~~~~~~~~~ ^^^^^^^^^^^^
with an unrelated set declaration.
============================================
# cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" accept
iifname "enp1s0" ct state established,related accept
iifname "enp1s0" ct state new tcp dport ssh accept
iifname "enp1s0" ct state new tcp dport 25565 accept
iifname "enp1s0" ct state new tcp dport 8123 accept
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
oifname "lo" accept
oifname "enp1s0" ct state established,related accept
oifname "enp1s0" ct state new udp dport 53 accept
oifname "enp1s0" ct state new tcp dport { ssh, 53, http,
ntp, https } accept
oifname "enp1s0" icmp type {echo-request} accept
}
}
