Re: nft newbie

Le 12/07/2022 à 22:00, Marco a écrit : Am Tue, 12 Jul 2022 21:17:40 +0200 schrieb : That looks like a sensible strategy to me. It isn't at all, completely blocking incoming ICMP is a very stupid idea. ICMP is used for control messages, e.g. for Path MTU discovery. The only IMCP message that

Re: nft newbie

On Tue, Jul 12, 2022 at 08:00:42PM +, Marco wrote: > Am Tue, 12 Jul 2022 21:17:40 +0200 > schrieb : > > > That looks like a sensible strategy to me. > > It isn't at all, completely blocking incoming ICMP is a very stupid > idea. I didn't get that "blocking incoming ICMP" part. Just the

Re: nft newbie

Am Tue, 12 Jul 2022 21:17:40 +0200 schrieb : > That looks like a sensible strategy to me. It isn't at all, completely blocking incoming ICMP is a very stupid idea. ICMP is used for control messages, e.g. for Path MTU discovery. The only IMCP message that can be blocked is echo request or echo

Re: nft newbie

On Tue, Jul 12, 2022 at 07:13:06PM +0200, Erwan David wrote: [...] > It depends on your settings. Personnally on a router I tend to Reject if the > ICMP goes to the internal network, drop if it would be sent outside. That > avoids some weird timeouts in the internal network (put your own

Re: nft newbie

Le 12/07/2022 à 17:27, Henning Follmann a écrit : On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote: On 2022-07-12 10:33, Gareth Evans wrote: On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies In most cases it's a best practice to configure all chains with _policy drop_ and then add

Re: nft newbie

On Tue, Jul 12, 2022 at 06:16:12PM +0200, to...@tuxteam.de wrote: > On Tue, Jul 12, 2022 at 11:27:41AM -0400, Henning Follmann wrote: > > On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote: > > > On 2022-07-12 10:33, Gareth Evans wrote: > > > > On Tue 12 Jul 2022, at 10:19, Maximiliano

Re: nft newbie

On Tue, Jul 12, 2022 at 11:27:41AM -0400, Henning Follmann wrote: > On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote: > > On 2022-07-12 10:33, Gareth Evans wrote: > > > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies > > > > > > In most cases it's a best practice to configure all

Re: nft newbie

On Tue, Jul 12, 2022 at 10:09:46AM -0400, gene heskett wrote: > On 7/12/22 05:36, Gareth Evans wrote: > > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies > > wrote: > [...] > > Why is it best practice? Is there any security advantage over rejection? > > > > Thanks, > > Gareth > > >

Re: nft newbie

On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote: > On 2022-07-12 10:33, Gareth Evans wrote: > > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies > > > > In most cases it's a best practice to configure all chains with > > > _policy drop_ and then add rules for the traffic that you

Re: nft newbie

Stefan Monnier (12022-07-12): > Except that if you contact an IP address where there's no machine, you > may get a "no route to host" error (from the router that finds out > there's no machine at that address), whereas if that machine DROPs, then > you'll get no message, thus indicating that there

Re: nft newbie

On 7/12/22 05:36, Gareth Evans wrote: On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies wrote: [...] Why is it best practice? Is there any security advantage over rejection? Thanks, Gareth Absolutely. reject sends a msg back to the hacker that there is a machine at that address. drop

Re: nft newbie

El mar, 12 jul 2022 a las 14:13, Anssi Saari () escribió: > > "Gareth Evans" writes: > > > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies > > wrote: > > > >> drop and reject are not equivalent. > > > > Fair enough > > > > [...] > >> In most cases it's a best practice to configure all chains

Re: nft newbie

"Gareth Evans" writes: > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies > wrote: > >> drop and reject are not equivalent. > > Fair enough > > [...] >> In most cases it's a best practice to configure all chains with >> _policy drop_ and then add rules for the traffic that you want to >>

Re: nft newbie

On Tue, 12 Jul 2022, Gareth Evans wrote: > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies > wrote: > >> drop and reject are not equivalent. > > Fair enough > > [...] >> In most cases it's a best practice to configure all chains with >> _policy drop_ and then add rules for the traffic that

Re: nft newbie

> On 12 Jul 2022, at 11:31, mick crane wrote: > On 2022-07-12 10:33, Gareth Evans wrote: >> On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies > >>> In most cases it's a best practice to configure all chains with >>> _policy drop_ and then add rules for the traffic that you want to >>> allow

Re: nft newbie

On 2022-07-12 10:33, Gareth Evans wrote: On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies In most cases it's a best practice to configure all chains with _policy drop_ and then add rules for the traffic that you want to allow All the nftables and PF howtos I have found take this approach.

Re: nft newbie

On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies wrote: > drop and reject are not equivalent. Fair enough [...] > In most cases it's a best practice to configure all chains with > _policy drop_ and then add rules for the traffic that you want to > allow All the nftables and PF howtos I

Re: nft newbie

drop and reject are not equivalent. with _reject with icmpx_ you get an icmp response when trying to access a system and get blocked by the firewall. with _policy drop_ packets that are not allowed just get silently dropped and don't give any feedback to the source. In most cases it's a best

Re: nft newbie

On Sun 10 Jul 2022, at 06:25, Gareth Evans wrote: > Thanks Roger, that also suggests "policy drop" in its nftables examples. As someone on firewalld-users kindly pointed out, there is > table inet firewalld { > chain filter_INPUT { [...] > reject with icmpx admin-prohibited <---

Re: nft newbie

On Sat 9 Jul 2022, at 10:05, Roger Price wrote: > On Sat, 9 Jul 2022, Gareth Evans wrote: > >> Also for any good nft/netfilter overview articles etc. > > Have you seen "Mastering Linux Security and Hardening", 2nd Edition, Donald > A. > Tevault, chapter 4. Suitable for those of us who read

Re: nft newbie

On Sat, 9 Jul 2022, Gareth Evans wrote: Also for any good nft/netfilter overview articles etc. Have you seen "Mastering Linux Security and Hardening", 2nd Edition, Donald A. Tevault, chapter 4. Suitable for those of us who read this newbie thread. Roger

Re: nft newbie

On Sat 9 Jul 2022, at 07:17, Gareth Evans wrote: [...] > If there is no drop by default, why add "policy accept" for > related/established as it does? Doesn't this happen anyway? I suppose this probably modifies behaviour for otherwise closed ports (which would make sense for a firewall!)

Re: nft newbie

Having found ufw suited my needs I have only dabbled with firewalld / firewall-config / firewall-applet over the years. Having noticed the recommendation for firewalld on the debian wiki re nftables https://wiki.debian.org/nftables#Use_firewalld I installed it and had a look at the default

Re: nft newbie

On 7/7/22 10:13, Tom Browder wrote: On Wed, Jul 6, 2022 at 7:17 PM Will Mengarini wrote: * gene heskett [22-07/06=We 18:50 -0400]: [...] iptables is out of support, replaced I guess with nft. [...] whats the command to [...] The nft is too complicated. UFW works great and is so easy. -Tom

Re: nft newbie

On Wed, Jul 6, 2022 at 7:17 PM Will Mengarini wrote: > > * gene heskett [22-07/06=We 18:50 -0400]: > > [...] iptables is out of support, replaced I > > guess with nft. [...] whats the command to [...] The nft is too complicated. UFW works great and is so easy. -Tom

Re: nft newbie

On Thu, Jul 07, 2022 at 10:45:00AM +0200, Erwan David wrote: > Le 07/07/2022 à 10:11, Roger Price a écrit : > > Newbie 3: The configuration file begins with the Bash shebang > > #!/usr/sbin/nft -f but the Debian 11 man page for nftables says > > > >   -f, --file filename Read input from

Re: nft newbie

for nftables configuration files to be executable?  As a newcomer, I expected something more "traditional", ie a file containing only key words and data values. Yes it is. If you look at the first line you see it is a script to be evaluated by /usr/sbin/nft Newbie 2: Command

Re: nft newbie

On Wed, 6 Jul 2022, Will Mengarini wrote: * gene heskett [22-07/06=We 18:50 -0400]: The man page while quite voluminus is as usual mostly bereft of useful examples. has various examples. May I continue this thread by

Re: nft newbie

On 7/6/22 20:20, Will Mengarini wrote: * gene heskett [22-07/06=We 18:50 -0400]: [...] iptables is out of support, replaced I guess with nft. [...] whats the command to [...] The man page while quite voluminus is as usual mostly bereft of useful examples.

Re: nft newbie

* gene heskett [22-07/06=We 18:50 -0400]: > [...] iptables is out of support, replaced I > guess with nft. [...] whats the command to [...] > > The man page while quite voluminus is as > usual mostly bereft of useful examples.

Re: nft newbie

Am 07.07.22 um 00:50 schrieb gene heskett: > I was just locked up by what may have been a ransomware attack by a link > from pocket, > part of firefox's default screen. I did a power down, and had quite a I doubt that. This would be such a security desaster for FireFox that it would have

nft newbie

Greetings all; I was just locked up by what may have been a ransomware attack by a link from pocket, part of firefox's default screen. I did a power down, and had quite a few msg's during the reboot about orphaned inodes but everything seems to be working ok. I ran iptables for quite some