2021-06-19 22:08:51 +00:00
|
|
|
table inet redxenfirewall {
|
|
|
|
|
|
|
|
set blackhole4 {
|
|
|
|
type ipv4_addr;
|
2021-07-09 11:00:40 +00:00
|
|
|
flags dynamic, timeout;
|
2021-06-19 22:08:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
set blackhole6 {
|
|
|
|
type ipv6_addr;
|
2021-07-09 11:00:40 +00:00
|
|
|
flags dynamic, timeout;
|
2021-06-19 22:08:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
chain rxfi {
|
|
|
|
type filter hook input priority 0;
|
2023-08-09 06:38:06 +00:00
|
|
|
policy drop;
|
2022-05-28 14:38:55 +00:00
|
|
|
|
|
|
|
ct state invalid counter drop;
|
|
|
|
ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
|
|
|
ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
|
|
|
|
|
|
|
icmp type { echo-request } counter accept;
|
|
|
|
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept;
|
|
|
|
ct state related,established counter accept;
|
|
|
|
|
2023-08-09 06:38:06 +00:00
|
|
|
iifname {"lo", "eth1"} counter accept;
|
|
|
|
jump rxfi-extern;
|
2022-05-28 14:38:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
chain rxfi-extern {
|
2021-06-19 22:08:51 +00:00
|
|
|
include "inet/redxenfirewall/filter/input/stateful/*";
|
|
|
|
include "inet/redxenfirewall/filter/input/allowed/*";
|
2022-05-28 14:38:55 +00:00
|
|
|
|
2021-06-19 22:08:51 +00:00
|
|
|
counter reject with icmpx type admin-prohibited;
|
|
|
|
}
|
|
|
|
|
|
|
|
chain fwfi {
|
|
|
|
type filter hook forward priority 0;
|
|
|
|
policy drop;
|
|
|
|
include "inet/redxenfirewall/filter/forward/*";
|
|
|
|
counter reject with icmpx type no-route;
|
|
|
|
}
|
|
|
|
|
|
|
|
chain txfi {
|
|
|
|
type filter hook output priority 0;
|
|
|
|
policy accept;
|
|
|
|
include "inet/redxenfirewall/filter/output/*";
|
|
|
|
}
|
|
|
|
|
|
|
|
chain prenat {
|
|
|
|
type nat hook prerouting priority -100;
|
|
|
|
policy accept;
|
|
|
|
include "inet/redxenfirewall/nat/prerouting/*";
|
|
|
|
}
|
|
|
|
|
|
|
|
chain rxnat {
|
|
|
|
type nat hook input priority 100;
|
|
|
|
policy accept;
|
|
|
|
include "inet/redxenfirewall/nat/input/*";
|
|
|
|
}
|
|
|
|
|
|
|
|
chain txnat {
|
|
|
|
type nat hook output priority -100;
|
|
|
|
policy accept;
|
|
|
|
include "inet/redxenfirewall/nat/output/*";
|
|
|
|
}
|
|
|
|
|
|
|
|
chain postnat {
|
|
|
|
type nat hook postrouting priority 100;
|
|
|
|
policy accept;
|
|
|
|
include "inet/redxenfirewall/nat/postrouting/*";
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|