[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
04/07: services: nftables: Tighten the default rules.
|
From: |
guix-commits |
|
Subject: |
04/07: services: nftables: Tighten the default rules. |
|
Date: |
Thu, 19 Oct 2023 18:36:03 -0400 (EDT) |
civodul pushed a commit to branch master
in repository guix.
commit 82f9e5ac97e076d57b8502c920ac770a82879b9a
Author: Tomas Volf <wolf@wolfsden.cz>
AuthorDate: Mon Aug 14 01:21:33 2023 +0200
services: nftables: Tighten the default rules.
Packets for local host IP ranges should be coming only over lo. If that is
not the case, we should drop them. Use iif for the check instead of
iifname,
lo is guaranteed to exists, and iif is faster.
* gnu/services/networking.scm (%default-nftables-ruleset): Tighten the
rules.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
gnu/services/networking.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 99889e3072..0508a4282c 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1813,7 +1813,10 @@ table inet filter {
ct state { established, related } accept
# allow from loopback
- iifname lo accept
+ iif lo accept
+ # drop connections to lo not coming from lo
+ iif != lo ip daddr 127.0.0.1/8 drop
+ iif != lo ip6 daddr ::1/128 drop
# allow icmp
ip protocol icmp accept
- branch master updated (47e265af75 -> 6b0a321969), guix-commits, 2023/10/19
- 01/07: tests: Avoid three-argument ‘test-assertm’., guix-commits, 2023/10/19
- 03/07: gnu: unison: Update to 2.53.3., guix-commits, 2023/10/19
- 02/07: .dir-locals.el: Adjust indentation rule for ‘test-assertm’., guix-commits, 2023/10/19
- 04/07: services: nftables: Tighten the default rules.,
guix-commits <=
- 05/07: gnu: Add cl-slite., guix-commits, 2023/10/19
- 06/07: gnu: Add emacs-slite., guix-commits, 2023/10/19
- 07/07: home: services: Fix race condition when detecting first login., guix-commits, 2023/10/19