ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2024-11-07 07:26:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

services: nftables: Tighten the default rules.

Browse source 
Packets for local host IP ranges should be coming only over lo.  If that is
not the case, we should drop them.  Use iif for the check instead of iifname,
lo is guaranteed to exists, and iif is faster.

* gnu/services/networking.scm (%default-nftables-ruleset): Tighten the rules.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This commit is contained in:
Tomas Volf 2023-08-14 01:21:33 +02:00 committed by Ludovic Courtès
parent 6156bf9078
commit 82f9e5ac97
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
gnu/services/networking.scm
View file

@ -1813,7 +1813,10 @@ (define %default-nftables-ruleset
ct state { established, related } accept
# allow from loopback
iifname lo accept
iif lo accept
# drop connections to lo not coming from lo
iif != lo ip daddr 127.0.0.1/8 drop
iif != lo ip6 daddr ::1/128 drop
# allow icmp
ip protocol icmp accept