/
base.conf
36 lines (32 loc) · 974 Bytes
/
base.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/nft -f
# do not edit this file.
# this base file is considered to be immutable and version controlled.
# edit the conf files to alter the generated fragments instead.
# ruleset is intended for one big atomic flush-and-reapply.
# helps prevent stale state issues.
flush ruleset
# symbolic constants that are not already understood by nft.
include "commondefs.conf"
# the general design of the firewall is that each interface gets it's own chain immediately, no exceptions.
# this is the only real way to prevent policy from leaking.
table inet ipnet {
include "gen/dependency-includes.conf"
include "gen/interfaces/base-chains.conf"
chain input {
type filter hook input priority 0;
policy drop;
include "gen/interfaces/jumps-in.conf"
drop;
}
chain forward {
type filter hook forward priority 0;
policy drop;
drop;
}
chain output {
type filter hook output priority 0;
policy drop;
include "gen/interfaces/jumps-out.conf"
drop;
}
}