reindentation of the file

2024-02-24 20:21:29 +00:00 · 2024-02-24 20:21:29 +00:00 · 3164a727cc
commit 3164a727cc
parent b9704b9b9b
1 changed files with 72 additions and 72 deletions
--- a/nftables.conf
+++ b/nftables.conf
@ -1,5 +1,5 @@
 #!/usr/bin/nft -f
-# vim:set ts=2 sw=2 et:
+# vim:set ts=4 sw=4 et:
 # IPv4/IPv6 Simple & Safe firewall ruleset.
 # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
@ -27,18 +27,18 @@ define all_if = { $ext_if, $vict_if, $dmz_if }
 table ip6 block_all_ipv6
 delete table ip6 block_all_ipv6
 table ip6 block_all_ipv6 {
-	chain block_input {
+    chain block_input {
-		type filter hook input priority filter
+        type filter hook input priority filter
-		policy drop
+        policy drop
-	} 
+    } 
-	chain block_output {
+    chain block_output {
-		type filter hook output priority filter
+        type filter hook output priority filter
-		policy drop
+        policy drop
-	}
+    }
-	chain block_forward {
+    chain block_forward {
-		type filter hook forward priority filter
+        type filter hook forward priority filter
-		policy drop
+        policy drop
-	}
+    }
 }
@ -46,72 +46,72 @@ table ip6 block_all_ipv6 {
 table ip global
 delete table ip global
 table ip global {
-	set denylist {
+    set denylist {
-		type ipv4_addr
+        type ipv4_addr
-		flags dynamic, timeout
+        flags dynamic, timeout
-		timeout 2m
+        timeout 2m
-	}
+    }
-	chain input {
+    chain input {
-		type filter hook input priority filter
+        type filter hook input priority filter
-		policy drop
+        policy drop
-		# if somebody sent to many new connections to the gateway, it an attack.
+        # if somebody sent to many new connections to the gateway, it an attack.
-		ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
+        ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
-		ip saddr @denylist drop
+        ip saddr @denylist drop
-		ct state established accept
+        ct state established accept
-		iifname $vict_if icmp type echo-request limit rate 5/second accept
+        iifname $vict_if icmp type echo-request limit rate 5/second accept
-		iifname $vict_if tcp dport 22 accept
+        iifname $vict_if tcp dport 22 accept
-		iifname lo accept
+        iifname lo accept
 	}
 	chain output {
 		type filter hook output priority filter
 		policy drop
-		udp dport 53 limit rate 20/second accept
+    }
-		tcp dport 80 limit rate 20/second accept
+    chain output {
-		tcp dport 443 limit rate 20/second accept
+        type filter hook output priority filter
-		icmp type echo-request limit rate 5/second accept
+        policy drop
 		oifname $vict_if ct state established accept
-		# accept to say on the victim interface that the gateway is up.
+        udp dport 53 limit rate 20/second accept
-		# oifname $vict_if icmp type echo-reply limit rate 5/second accept
+        tcp dport 80 limit rate 20/second accept
-		oifname lo accept
+        tcp dport 443 limit rate 20/second accept
-	}
+        icmp type echo-request limit rate 5/second accept
-	chain forward {
+        oifname $vict_if ct state established accept
 		type filter hook forward priority filter
 		policy drop
-		# Block temporarly ip addresses that attemps more than 10 tcp connection per minutes from external network
+        # accept to say on the victim interface that the gateway is up.
-		iifname $ext_if ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
+        # oifname $vict_if icmp type echo-reply limit rate 5/second accept
-		ip saddr @denylist drop
+        oifname lo accept
-		
+    }
-		
+    chain forward {
-		# general authorisations
+        type filter hook forward priority filter
-		icmp type echo-reply accept
+        policy drop
 		# dmz interface specific
 		oifname $dmz_if icmp type echo-request limit rate 5/second accept
 		oifname $dmz_if tcp dport 80 accept
 		iifname $dmz_if ct state established tcp sport 80 accept
-		# external interface specific
+        # Block temporarly ip addresses that attemps more than 10 tcp connection per minutes from external network
-		oifname $ext_if icmp type echo-request accept
+        iifname $ext_if ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
-		oifname $ext_if udp dport 53 accept
+        ip saddr @denylist drop
 		iifname $ext_if ct state established udp sport 53 accept
 		oifname $ext_if tcp dport 80 accept
 		iifname $ext_if ct state established tcp sport 80 accept
 		oifname $ext_if tcp dport 443 accept
 		iifname $ext_if ct state established tcp sport 443 accept
-		# victim interface specific
+
-		iifname $vict_if tcp dport 22 accept
+        # general authorisations
-		oifname $vict_if ct state established tcp sport 22 accept
+        icmp type echo-reply accept
-		
+
-		# block for two minutes everything else that is from the public interface.
+        # dmz interface specific
-		iifname { $ext_if, $dmz_if } add @denylist { ip saddr }
+        oifname $dmz_if icmp type echo-request limit rate 5/second accept
-	}
+        oifname $dmz_if tcp dport 80 accept
        iifname $dmz_if ct state established tcp sport 80 accept
        # external interface specific
        oifname $ext_if icmp type echo-request accept
        oifname $ext_if udp dport 53 accept
        iifname $ext_if ct state established udp sport 53 accept
        oifname $ext_if tcp dport 80 accept
        iifname $ext_if ct state established tcp sport 80 accept
        oifname $ext_if tcp dport 443 accept
        iifname $ext_if ct state established tcp sport 443 accept
        # victim interface specific
        iifname $vict_if tcp dport 22 accept
        oifname $vict_if ct state established tcp sport 22 accept
        # block for two minutes everything else that is from the public interface.
        iifname { $ext_if, $dmz_if } add @denylist { ip saddr }
    }
 }