NFtbles
Hi there, i just noticed about NFtables, but can't find a complete hardening configuration online. I would like do block everything but my connection. Is this possible? if yes, how? :D
|
Quote:
You can build a filter if you want, but for it to be less of an exercise in futility, it has to be custom designed for your specific situation and your particular threat model: What are you trying to protect, against whom, and why? What's your pain point for diagnosing network failures and adjusting the blocking and unblocking? Are you dealing with a server or a desktop/notebook? With a production or development environment? What kind of networking and/or VPN is involved? Knowing those will allow pointers to where to start. |
Quote:
|
Those questions don't have too be answered publicly, just to yourself, but they are what you will use to guide your decisions about the NFTables rules.
If you don't have SSH or any other external services then that simplifies the input rules, and the forwarding rules as well. The decisions become then about the granularity of control you want to have for the output rules. Those require a fair amount of debugging if you really lock them down, which might not be worth the effort. The VPN will complicate matters but without one, my guess is that you could begin with the following: Code:
#!/usr/sbin/nft -f As you see it does not do much and locking down the output chain would take a lot of detailed knowledge about your outgoing connections. You might get a much higher return on effort by writing (or rewriting) the AppArmor rules for your various client tools, such as the web browsers. Each web browser, for example, does not need access to much of anywhere in your system except for the Downloads directory. It does not need your Documents or your SSH keys or your VPN certificates, to name a few. Similar for any other networked software you run from day to day. |
Quote:
|
All times are GMT -5. The time now is 10:01 AM. |