cellinfo
/
ansible.nftables
2
0
Fork 0
Code Issues Pull Requests Releases Activity

Allow localhost traffic.

This commit is contained in:
Jeremy Gardais 2017-08-09 11:05:00 +02:00
parent 9ba41af525
commit 7a36fddf38
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -76,6 +76,8 @@ nft_input_default_rules:
- jump global - jump global
010 drop unwanted: 010 drop unwanted:
- ip daddr @blackhole counter drop - ip daddr @blackhole counter drop
015 localhost:
- iif lo accept
040 dhcp: 040 dhcp:
- udp sport bootps udp dport bootpc limit rate 6/minute accept - udp sport bootps udp dport bootpc limit rate 6/minute accept
220 ssh: 220 ssh:
@ -88,6 +90,8 @@ nft_output_default_rules:
- type filter hook output priority 0; policy drop; - type filter hook output priority 0; policy drop;
005 global: 005 global:
- jump global - jump global
015 localhost:
- oif lo accept
040 dhcp: 040 dhcp:
- udp sport bootpc udp dport bootps limit rate 6/minute accept - udp sport bootpc udp dport bootps limit rate 6/minute accept
050 domain: 050 domain:
@ -151,6 +155,7 @@ table inet firewall {
type filter hook input priority 0; policy drop; type filter hook input priority 0; policy drop;
jump global jump global
ip daddr @blackhole counter packets 3 bytes 204 drop ip daddr @blackhole counter packets 3 bytes 204 drop
iif "lo" accept
udp sport bootps udp dport bootpc limit rate 6/minute accept udp sport bootps udp dport bootpc limit rate 6/minute accept
tcp dport ssh ct state new counter packets 0 bytes 0 accept tcp dport ssh ct state new counter packets 0 bytes 0 accept
} }
@ -158,6 +163,7 @@ table inet firewall {
chain output { chain output {
type filter hook output priority 0; policy drop; type filter hook output priority 0; policy drop;
jump global jump global
oif "lo" accept
udp sport bootpc udp dport bootps limit rate 6/minute accept udp sport bootpc udp dport bootps limit rate 6/minute accept
udp dport domain ct state new packets 0 bytes 0 accept udp dport domain ct state new packets 0 bytes 0 accept
} }

4
defaults/main.yml
View File

@ -32,6 +32,8 @@ nft_input_default_rules:
- jump global - jump global
010 drop unwanted: 010 drop unwanted:
- ip daddr @blackhole counter drop - ip daddr @blackhole counter drop
015 localhost:
- iif lo accept
040 dhcp: 040 dhcp:
- udp sport bootps udp dport bootpc limit rate 6/minute accept - udp sport bootps udp dport bootpc limit rate 6/minute accept
220 ssh: 220 ssh:
@ -44,6 +46,8 @@ nft_output_default_rules:
- type filter hook output priority 0; policy drop; - type filter hook output priority 0; policy drop;
005 global: 005 global:
- jump global - jump global
015 localhost:
- oif lo accept
040 dhcp: 040 dhcp:
- udp sport bootpc udp dport bootps limit rate 6/minute accept - udp sport bootpc udp dport bootps limit rate 6/minute accept
050 domain: 050 domain: