2021-06-19 22:08:51 +00:00
|
|
|
table inet redxenfirewall {
|
|
|
|
|
|
|
|
|
|
set blackhole4 {
|
|
|
|
|
type ipv4_addr;
|
2021-07-09 11:00:40 +00:00
|
|
|
flags dynamic, timeout;
|
2021-06-19 22:08:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
set blackhole6 {
|
|
|
|
|
type ipv6_addr;
|
2021-07-09 11:00:40 +00:00
|
|
|
flags dynamic, timeout;
|
2021-06-19 22:08:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain rxfi {
|
|
|
|
|
type filter hook input priority 0;
|
|
|
|
|
policy drop;
|
|
|
|
|
include "inet/redxenfirewall/filter/input/blocked/*";
|
|
|
|
|
include "inet/redxenfirewall/filter/input/trusted/*";
|
|
|
|
|
include "inet/redxenfirewall/filter/input/stateful/*";
|
|
|
|
|
include "inet/redxenfirewall/filter/input/allowed/*";
|
|
|
|
|
include "inet/redxenfirewall/filter/input/established/*";
|
|
|
|
|
counter reject with icmpx type admin-prohibited;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain fwfi {
|
|
|
|
|
type filter hook forward priority 0;
|
|
|
|
|
policy drop;
|
|
|
|
|
include "inet/redxenfirewall/filter/forward/*";
|
|
|
|
|
counter reject with icmpx type no-route;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain txfi {
|
|
|
|
|
type filter hook output priority 0;
|
|
|
|
|
policy accept;
|
|
|
|
|
include "inet/redxenfirewall/filter/output/*";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain prenat {
|
|
|
|
|
type nat hook prerouting priority -100;
|
|
|
|
|
policy accept;
|
|
|
|
|
include "inet/redxenfirewall/nat/prerouting/*";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain rxnat {
|
|
|
|
|
type nat hook input priority 100;
|
|
|
|
|
policy accept;
|
|
|
|
|
include "inet/redxenfirewall/nat/input/*";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain txnat {
|
|
|
|
|
type nat hook output priority -100;
|
|
|
|
|
policy accept;
|
|
|
|
|
include "inet/redxenfirewall/nat/output/*";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain postnat {
|
|
|
|
|
type nat hook postrouting priority 100;
|
|
|
|
|
policy accept;
|
|
|
|
|
include "inet/redxenfirewall/nat/postrouting/*";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
