Ability to set base chains #95
Assignees
Labels
enhancement
New feature or request
Comments
|
Hi @AlexSamad You can always set |
|
Hi
Yes , but for example when i select all_out to false you put in default
rules.
What you have is good for somebody who doesn't want to create a framework
of their own.
for example how to get rid of all of the default chains and where there
connect.
…On Sun, 23 May 2021 at 18:15, Nacho Barrientos ***@***.***> wrote:
Hi @AlexSamad <https://github.com/AlexSamad>
You can always set nftables::in_out_conntrack
<https://github.com/voxpupuli/puppet-nftables/blob/master/REFERENCE.md#in_out_conntrack>
and nftables::fwd_conntrack
<https://github.com/voxpupuli/puppet-nftables/blob/master/REFERENCE.md#fwd_conntrack>
to false and create the conntrack-related rules that you consider more
appropriate for your use case using nftables::rule
<https://github.com/voxpupuli/puppet-nftables/blob/master/REFERENCE.md#nftablesrule>
.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#95 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKBAYZPAXBF56UJSNVIV5TTPC2QVANCNFSM45LDPOQA>
.
|
|
If I understand correctly what you'd like to achieve, the module would have to be patched to put the statement that includes The default skeleton we're currently shipping is skinny enough to cover many use cases so we should probably continue with the same default. That said, I personally don't see any problem in allowing to optionally have an even more lightweight set of defaults. I'll let the other devs comment though, perhaps I'm not understanding you correctly. |
|
Hi
Exactly, or what i was thinking if you can pass in a resource to replace
your epp file or a config resource.
So right now you default to a file. if that can come from a config option
even that would be all thats needed
For example - the CT statements you link
est/related with ct invalid drop
I want est/related but not invalid drop.
Plus I don't want the empty default chains - people might use them
Any not a show stopper thinking for me I had to do a lot of work around to
work with your skeleton for the tables. the other stuff is awesome.
A
…On Tue, 25 May 2021 at 07:30, Nacho Barrientos ***@***.***> wrote:
If I understand correctly what you'd like to achieve, the module would
have to be patched to put the statement that includes inet_filter
<https://github.com/voxpupuli/puppet-nftables/blob/master/manifests/init.pp#L163>
behind a parameter. That should give you a clear canvas allowing you to
define your own tables, chains and rules using the types provided by the
module.
The default skeleton we're currently shipping is skinny enough to cover
many use cases so we should probably continue with the same default. That
said, I personally don't see any problem in allowing to optionally have an
even more lightweight set of defaults.
I'll let the other devs comment though, perhaps I'm not understanding you
correctly.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#95 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKBAY5PASIZHGG7DYAKCHLTPLAQNANCNFSM45LDPOQA>
.
|
|
Hi Can't really do it with your module. I would really like to use your code for managing files and testing before implementing. Thanks |
|
Ok. Putting include |
|
As long as the default doesn't change, ok for me. |
|
Yeah think that works work.
Maybe. Thinking .. have different defaults that can be set. So yours and
maybe a default that makes it look like iptables.
A
…On Mon, 31 May 2021, 05:39 duritong, ***@***.***> wrote:
As long as the default doesn't change, ok for me.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#95 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKBAY2ARTRPFKMLSRULWXTTQKIAXANCNFSM45LDPOQA>
.
|
nbarrientos
added a commit
to nbarrientos/puppet-nftables
that referenced
this issue
May 31, 2021
By setting `nftables::inet_filter` and `nftables::nat` to `false` users can now start off from a totally empty firewall and add the tables, chains and rules they'd like. The default skeleton for inet-filter, ip-nat and ip6-nat is kept enabled by default. Fixes voxpupuli#95.
nbarrientos
added a commit
to nbarrientos/puppet-nftables
that referenced
this issue
May 31, 2021
By setting `nftables::inet_filter` and `nftables::nat` to `false` users can now start off from a totally empty firewall and add the tables, chains and rules they'd like. The default skeleton for inet-filter, ip-nat and ip6-nat is kept enabled by default. Fixes voxpupuli#95.
nbarrientos
added a commit
to nbarrientos/puppet-nftables
that referenced
this issue
May 31, 2021
By setting `nftables::inet_filter` and `nftables::nat` to `false` users can now start off from a totally empty firewall and add the tables, chains and rules they'd like. The default skeleton for inet-filter, ip-nat and ip6-nat is kept enabled by default. Fixes voxpupuli#95.
nbarrientos
added a commit
to nbarrientos/puppet-nftables
that referenced
this issue
May 31, 2021
By setting `nftables::inet_filter` and `nftables::nat` to `false` users can now start off from a totally empty firewall and add the tables, chains and rules they'd like. The default skeleton for inet-filter, ip-nat and ip6-nat is kept enabled by default. Fixes voxpupuli#95.
nbarrientos
added a commit
to nbarrientos/puppet-nftables
that referenced
this issue
May 31, 2021
By setting `nftables::inet_filter` and `nftables::nat` to `false` users can now start off from a totally empty firewall and add the tables, chains and rules they'd like. The default skeleton for inet-filter, ip-nat and ip6-nat is kept enabled by default. Fixes voxpupuli#95.
nbarrientos
added a commit
to nbarrientos/puppet-nftables
that referenced
this issue
May 31, 2021
By setting `nftables::inet_filter` and `nftables::nat` to `false` users can now start off from a totally empty firewall and add the tables, chains and rules they'd like. The default skeleton for inet-filter, ip-nat and ip6-nat is kept enabled by default. Fixes voxpupuli#95.
nbarrientos
added a commit
to nbarrientos/puppet-nftables
that referenced
this issue
May 31, 2021
By setting `nftables::inet_filter` and `nftables::nat` to `false` users can now start off from a totally empty firewall and add the tables, chains and rules they'd like. The default skeleton for inet-filter, ip-nat and ip6-nat is kept enabled by default. Fixes voxpupuli#95.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rhel8
I would like to remove the drop invalid.
From previous experience - restarting (iptables) via services also cleared connection tracking which made every packet invalid
But I would still like more control of those base chains (INPUT/OUTPUT/FORWARD). Not sure how to do that with the current config
The text was updated successfully, but these errors were encountered: