From 7a36fddf38c17e910b160d9ce249efb93514e3df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Wed, 9 Aug 2017 11:05:00 +0200 Subject: [PATCH] Allow localhost traffic. --- README.md | 6 ++++++ defaults/main.yml | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 58bff86..4af29b6 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,8 @@ nft_input_default_rules: - jump global 010 drop unwanted: - ip daddr @blackhole counter drop + 015 localhost: + - iif lo accept 040 dhcp: - udp sport bootps udp dport bootpc limit rate 6/minute accept 220 ssh: @@ -88,6 +90,8 @@ nft_output_default_rules: - type filter hook output priority 0; policy drop; 005 global: - jump global + 015 localhost: + - oif lo accept 040 dhcp: - udp sport bootpc udp dport bootps limit rate 6/minute accept 050 domain: @@ -151,6 +155,7 @@ table inet firewall { type filter hook input priority 0; policy drop; jump global ip daddr @blackhole counter packets 3 bytes 204 drop + iif "lo" accept udp sport bootps udp dport bootpc limit rate 6/minute accept tcp dport ssh ct state new counter packets 0 bytes 0 accept } @@ -158,6 +163,7 @@ table inet firewall { chain output { type filter hook output priority 0; policy drop; jump global + oif "lo" accept udp sport bootpc udp dport bootps limit rate 6/minute accept udp dport domain ct state new packets 0 bytes 0 accept } diff --git a/defaults/main.yml b/defaults/main.yml index 22a3f4f..bf301de 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -32,6 +32,8 @@ nft_input_default_rules: - jump global 010 drop unwanted: - ip daddr @blackhole counter drop + 015 localhost: + - iif lo accept 040 dhcp: - udp sport bootps udp dport bootpc limit rate 6/minute accept 220 ssh: @@ -44,6 +46,8 @@ nft_output_default_rules: - type filter hook output priority 0; policy drop; 005 global: - jump global + 015 localhost: + - oif lo accept 040 dhcp: - udp sport bootpc udp dport bootps limit rate 6/minute accept 050 domain: