1 Testing the ruleset rendered from the default firewall configuration.
5 include("./tests/mock.uc", {
6 TESTFILE: "test-wrapper.uc",
9 getenv: function(varname) {
33 define lan_devices = { "br-lan" }
34 define lan_subnets = { 192.168.26.0/24, fd63:e2f:f706::/60 }
36 define wan_devices = { "wan" }
37 define wan_subnets = { 10.11.12.0/24 }
44 include "/etc/nftables.d/*.nft"
52 type filter hook input priority filter; policy accept;
54 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
56 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
59 tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
62 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
63 iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
68 type filter hook forward priority filter; policy drop;
70 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
74 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
75 iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
81 type filter hook output priority filter; policy accept;
83 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
85 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
89 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
90 oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
95 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
96 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
100 tcp flags & (fin | syn | rst | ack) == syn limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
101 drop comment "!fw4: Drop excess packets"
114 jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
118 chain accept_from_lan {
119 iifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
122 chain accept_to_lan {
123 oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
127 meta nfproto ipv4 udp dport 68 counter accept comment "!fw4: Allow-DHCP-Renew"
128 meta nfproto ipv4 meta l4proto icmp counter accept comment "!fw4: Allow-Ping"
129 meta nfproto ipv4 meta l4proto igmp counter accept comment "!fw4: Allow-IGMP"
130 ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter accept comment "!fw4: Allow-DHCPv6"
131 meta l4proto ipv6-icmp ip6 saddr fe80::/10 counter accept comment "!fw4: Allow-MLD"
132 meta nfproto ipv6 meta l4proto ipv6-icmp limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
141 meta nfproto ipv6 meta l4proto ipv6-icmp limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
142 meta l4proto esp counter jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
143 udp dport 500 counter jump accept_to_lan comment "!fw4: Allow-ISAKMP"
147 chain accept_to_wan {
148 oifname "wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
151 chain reject_from_wan {
152 iifname "wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
155 chain reject_to_wan {
156 oifname "wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
166 type nat hook prerouting priority dstnat; policy accept;
171 type nat hook postrouting priority srcnat; policy accept;
173 oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
177 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
182 # Raw rules (notrack & helper)
185 chain raw_prerouting {
186 type filter hook prerouting priority raw; policy accept;
188 iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
192 type filter hook output priority raw; policy accept;
197 type "amanda" protocol udp;
201 type "ftp" protocol tcp;
205 type "RAS" protocol udp;
209 type "Q.931" protocol tcp;
213 type "irc" protocol tcp;
216 ct helper netbios-ns {
217 type "netbios-ns" protocol udp;
221 type "pptp" protocol tcp;
225 type "sane" protocol tcp;
229 type "sip" protocol udp;
233 type "snmp" protocol udp;
237 type "tftp" protocol udp;
241 type "rtsp" protocol tcp;
246 meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
247 meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
248 meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
249 meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
250 meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
251 meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
252 meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
253 meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
254 meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
255 meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
256 meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
257 meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking"
266 chain mangle_prerouting {
267 type filter hook prerouting priority mangle; policy accept;
271 chain mangle_output {
272 type filter hook output priority mangle; policy accept;
276 chain mangle_forward {
277 type filter hook forward priority mangle; policy accept;
279 iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
280 oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
286 [call] ctx.call object <network.interface> method <dump> args <null>
287 [call] ctx.call object <service> method <get_data> args <{ "type": "firewall" }>
288 [call] fs.open path </proc/version> mode <r>
289 [call] fs.stat path </sys/module/nf_conntrack_amanda>
290 [call] fs.stat path </sys/module/nf_conntrack_ftp>
291 [call] fs.stat path </sys/module/nf_conntrack_h323>
292 [call] fs.stat path </sys/module/nf_conntrack_h323>
293 [call] fs.stat path </sys/module/nf_conntrack_irc>
294 [call] fs.stat path </sys/module/nf_conntrack_netbios_ns>
295 [call] fs.stat path </sys/module/nf_conntrack_pptp>
296 [call] fs.stat path </sys/module/nf_conntrack_sane>
297 [call] fs.stat path </sys/module/nf_conntrack_sip>
298 [call] fs.stat path </sys/module/nf_conntrack_snmp>
299 [call] fs.stat path </sys/module/nf_conntrack_tftp>
300 [call] fs.stat path </sys/module/nf_conntrack_rtsp>
301 [call] fs.open path </sys/class/net/br-lan/flags> mode <r>
302 [call] fs.open path </sys/class/net/br-lan/flags> mode <r>