|
@@ -34,9 +34,9 @@ table inet firewall {
|
|
|
meta protocol vmap { ip: jump inbound_ipv4, ip6: jump inbound_ipv6 }
|
|
|
|
|
|
# silence some noisy crap
|
|
|
- meta pkttype broadcast counter drop comment "silently drop unsollicited broadcast"
|
|
|
- meta pkttype multicast counter drop comment "silently drop unsollicited multicast"
|
|
|
- ip daddr 255.255.255.255/32 counter drop comment "really drop unsollicited IPv4 broadcast"
|
|
|
+ #meta pkttype broadcast counter drop comment "silently drop unsollicited broadcast"
|
|
|
+ #meta pkttype multicast counter drop comment "silently drop unsollicited multicast"
|
|
|
+ #ip daddr 255.255.255.255/32 counter drop comment "really drop unsollicited IPv4 broadcast"
|
|
|
|
|
|
# allow http and https traffic
|
|
|
tcp dport { 80, 443 } accept
|
|
@@ -45,7 +45,8 @@ table inet firewall {
|
|
|
tcp dport ssh ct state new limit rate 4/minute accept
|
|
|
|
|
|
# log all denied traffic (including ssh)
|
|
|
- log prefix "[nftables] Inbound Denied: " counter drop
|
|
|
+ # @note: disabled until I can find a way to silence wrong DST traffic
|
|
|
+ #log prefix "[nftables] Inbound Denied: " counter drop
|
|
|
}
|
|
|
|
|
|
# do not act as a router; drop all forward requests
|