Hi,
I have my simple nftables firewall working (thanks to people who have posted). However I have one issue, my nftables is not recognising the label 'dns' for port 53, although it is recognising labels for other ports that I have been using (e.g. ssh, http, ntp, https). When I checked on the Internet, I find that other people are using the label 'dns'. I wonder if I am the only one having this issue? It is not much of an issue, anyway, as it is just as easy to use numerical port numbers. Other checks on the Internet show that some people have previously reported issues with other labels, like ssh, where as I am not. George. ============================= On Debian Bookworm headless server (built this morning) Set rules to use lables (e.g. dns) and not numerical values # nano /etc/nftables.conf ... oifname "enp1s0" ct state new udp dport dns accept oifname "enp1s0" ct state new tcp dport { ssh, dns, http, ntp, https } accept ... # systemctl restart nftables.service Job for nftables.service failed because the control process exited with error code. See "systemctl status nftables.service" and "journalctl -xeu nftables.service" for details. # journalctl -xeu nftables.service ... The process' exit code is 'exited' and its exit status is 1. Aug 06 13:54:51 debmcfwt nft[1519]: /etc/nftables.conf:24:50-52: Error: Could not resolve service: Servname not supported for ai_socktype Aug 06 13:54:51 debmcfwt nft[1519]: oifname "enp1s0" ct state new tcp dport { ssh, dns, http, ntp, https } accept Aug 06 13:54:51 debmcfwt nft[1519]: ^^^ Aug 06 13:54:51 debmcfwt systemd[1]: nftables.service: Failed with result 'exit-code'. ... Set rules to use 53 and not dns # nano /etc/nftables.conf ... oifname "enp1s0" ct state new udp dport 53 accept oifname "enp1s0" ct state new tcp dport { ssh, 53, http, ntp, https } accept ... Restarting nftables no longer causes an error report. # systemctl restart nftables.service # A few web pages of different but similar or not so similar issues: https://linux-audit.com/nftables-beginners-guide-to-traffic-filtering/ ip daddr 127.0.0.1 tcp dport {http, postgresql, ipp} accept udp dport dns accept tcp dport {dns, http, ntp, https, 9418} accept Aug 06 13:46:05 debmcfwt nft[1505]: /etc/nftables.conf:24:45-47: Error: Could not resolve service: Servname not supported for ai_socktype Aug 06 13:46:05 debmcfwt nft[1505]: oifname "enp1s0" ct state new tcp dport { dns, ssh, http, ntp, https } accept Aug 06 13:46:05 debmcfwt nft[1505]: ^^^ Aug 06 13:46:05 debmcfwt systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1821654.html root@main:~# nft -c 'table filter {chain INPUT {tcp dport ssh;};}' Error: Could not resolve service: Servname not supported for ai_socktype table filter {chain INPUT {tcp dport ssh;};} ^^^ https://git.netfilter.org/nftables/commit/?id=818f7dded9c9e8a89a2de98801425536180ae307 evaluate: reset ctx->set after set interval evaluation Otherwise bogus error reports on set datatype mismatch might occur, such as: Error: datatype mismatch, expected Internet protocol, expression has type IPv4 address meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 ~~~~~~~~~~~~ ^^^^^^^^^^^^ with an unrelated set declaration. ============================================ # cat /etc/nftables.conf #!/usr/sbin/nft -f flush ruleset table ip filter { chain INPUT { type filter hook input priority filter; policy drop; iifname "lo" accept iifname "enp1s0" ct state established,related accept iifname "enp1s0" ct state new tcp dport ssh accept iifname "enp1s0" ct state new tcp dport 25565 accept iifname "enp1s0" ct state new tcp dport 8123 accept } chain FORWARD { type filter hook forward priority filter; policy drop; } chain OUTPUT { type filter hook output priority filter; policy drop; oifname "lo" accept oifname "enp1s0" ct state established,related accept oifname "enp1s0" ct state new udp dport 53 accept oifname "enp1s0" ct state new tcp dport { ssh, 53, http, ntp, https } accept oifname "enp1s0" icmp type {echo-request} accept } }