Dear security experts,
in order to resurrect my 2GB RAM netbook, I'm changing from SUSE linux to Arch linux.
Also Arch linux is great, for example I'm enthusiast of how much RAM is still free after the system boots.
I chose Arch linux also because it supports also the Raspberry Pi, which should be a sign of good philosophy and efficient use of the hardware.
I'm setting up a netfilter firewall for my system, below you find my /etc/nftables.conf
Since I don't speak this netfilter language, I'm not able to check whether my system (I didn't set up any server, I'm directly connected with the DSL router of my inet provider) is reasonably protected.
I would be very grateful for your comments or suggestions.
- /etc/nftables.conf :
#!/usr/bin/nft -f
### ip filter , ip6 filter : verbatim from:
https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation on 2018-10-31
# fw.basic (native)
table ip filter {
chain input {
type filter hook input priority 0;
# accept traffic originated from us
ct state established,related accept
# accept any localhost traffic
iif lo accept
# count and drop any other traffic
counter drop
}
}
# fw6.basic
table ip6 filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
### inet filter is a /etc/nftables.conf of Arch linux 2018 , BUT I changed (only) the 2 lines marked with '!', where I just added 'counter' :
# ipv4/ipv6 Simple & Safe Firewall
# you can find examples in /usr/share/nftables/
table inet filter {
chain input {
type filter hook input priority 0;
# allow established/related connections
ct state {established, related} accept
# early drop of invalid connections
ct state invalid drop
# allow from loopback
iifname lo accept
# allow icmp
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# allow ssh
tcp dport ssh accept
# everything else
counter reject with icmpx type port-unreachable # !
}
chain forward {
type filter hook forward priority 0;
counter drop # !
}
chain output {
type filter hook output priority 0;
}
}
# vim:set ts=2 sw=2 et:
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)