Firewall nftables settings (firewall.toml)
By default, the settings from the firewall are located here:
/etc/kor-elf-shield/firewall.toml
The path to these settings can be changed in the main settings and can be found here (parameter firewall).
A copy of the full settings file is here.
There are several sections in this file:
- Port Settings
- Settings IPv4
- Settings IPv6
- General settings
- Default Action Policy
- Port knocking
- Naming metadata
Port Settings
These settings should be located at the beginning of the file before the sections: "Settings IPv4", "Settings IPv6", "General Settings", "Default Action Policy", "Metadata naming".
| Parameter | [[ports]] |
| Meaning | We specify a group of port settings |
| By default | |
| Description | This is a group of port settings. [[ports]] You can specify an unlimited number of groups. [[ports]] numbers - Port numbers (required field) directions - Incoming (in), outgoing traffic (out) (required field) protocols - Protocol: tcp, udp (required field) action - Action: accept, drop or reject (required field) limit_rate - Specify restrictions if necessary (optional field) numbers - you can specify one or more ports, but the rules will be created separately for each port. directions - if we specify in and out, then each rule is created separately in its own chain. protocols - if and is specified tcp udp, then each rule is created separately for each protocol. action: accept - allow drop - block silently reject - lock with feedback limit_rate - install it according to the documentation nftables(limit rate). |
| Examples |
Another example:
Another example:
|
| *** | |
|---|---|
| Parameter | [[ips]] |
| Meaning | We specify a group of IP address settings |
| By default | |
| Description |
We specify IP the addresses that should be allowed or prohibited. [[ips]] You can specify an unlimited number of groups. |
| Examples |
Another example:
|
Settings IPv4
Specify the parameters for this section first [ip4], and then specify the other parameters of this section. Example:
[ip4]
icmp_in = true
icmp_in_rate = "1/second"
icmp_out = true
| Parameter | icmp_in |
| Meaning | true or false |
| By default | true |
| Description | Allow incoming PING. Disabling PING it may disrupt the operation of external monitoring. true - includes false - turns it off |
| Examples |
|
| *** | |
|---|---|
| Parameter | icmp_in_rate |
| Meaning | Set limits on the number of simultaneous packets per second. |
| By default | 1/second |
| Description | Set limits on the number of simultaneous incoming packets per second. If the number of packets exceeds the specified period, the remaining packets will be discarded. If you notice unwanted losses, increase the value or disable it. To disable the speed limit, set the value to "0", otherwise set it according to the documentation nftables (limit rate). For example, «1/second»it will limit transmission to one packet per second. |
| Examples |
|
| *** | |
| Parameter | icmp_out |
| Meaning | true or false |
| By default | true |
| Description | Allow outgoing PING. If there are no special reasons, it is better not to disable it, otherwise it may disrupt the OS. true - includes false - turns it off |
| Examples |
|
| *** | |
| Parameter | icmp_out_rate |
| Meaning | Set limits on the number of simultaneous packets per second. |
| By default | 0 |
| Description | Set limits on the number of simultaneous outgoing packets per second. If the number of packets exceeds the specified period, the remaining packets will be discarded. If there are no special reasons, it is better not to include restrictions, otherwise it may disrupt the OS. To disable the speed limit, set the value to "0", otherwise set it according to the documentation nftables (limit rate). For example, «1/second»it will limit transmission to one packet per second. |
| Examples |
|
| *** | |
| Parameter | icmp_timestamp_drop |
| Meaning | true or false |
| By default | false |
| Description | Block ICMP timestamprequests. In fact, there is almost no real threat, but sometimes IT auditors insist on blocking ICMP timestamprequests. true - includes false - turns it off |
| Examples |
|
Settings IP6
Specify the parameters for this section first [ip6], and then specify the other parameters of this section. Example:
[ip6]
enable = true
icmp_strict = false
| Parameter | enable |
| Meaning | true or false |
| By default | false |
| Description | Enables support IPv6. If IPv6 turned off, all settings related to IPv6 will be ignored. true - includes false - turns it off |
| Examples |
|
| *** | |
|---|---|
| Parameter | icmp_strict |
| Meaning | true or false |
| By default | false |
| Description | IPv6 It actively uses packages ICMPV6, so strict mode ICMPV6 is disabled by default. However, this may increase the risk of attacks on ICMPV6. You can enable strict mode, but this may cause problems with some types of connections. true - includes false - turns it off |
| Examples |
|
General settings
Specify the parameters for this section first [options], and then specify the other parameters of this section. Example:
[options]
cache = true
clear_mode = "global"
saves_rules = false
saves_rules_path = "/etc/nftables.conf"
dns_strict = false
dns_strict_ns = false
packet_filter = true
| Parameter | cache |
| Meaning | true or false |
| By default | true |
| Description | Enables caching to avoid constantly compiling commands nftables into a temporary file. The cache file changes after changing the settings or updating the program version. true - includes false - turns it off |
| Examples |
|
| Parameter | clear_mode |
| Meaning | global or own |
| By default | global |
| Description |
Switching the firewall cleaning mode nftables. If you specify "own", there may be a conflict in the rules. It can cause a security problem. Please indicate "own" if you are confident in your actions. global - clears all the rules completely |
| Examples |
|
| Parameter | saves_rules |
| Meaning | true or false |
| By default | false |
| Description | Will the daemon save the rules to a system file nftables? Don't forget to check that the path to nftables matches your OS. If you do not save the rules to the system file nftables, then after restarting the program nftables (for example, after updating) all the rules will be erased. Nevertheless, by default, we decided to disable automatic saving of rules to the system file nftables, because we first need to make sure that the parameter saves_rules_path points to the correct file. true - includes false - turns it off |
| Examples |
|
| Parameter | saves_rules_path |
| Meaning | Specifying the path to the file |
| By default | /etc/nftables.conf |
| Description | The path where the rules for will be saved nftables. Specify the path that corresponds to your OS. The path must be absolute. The relative path will cause an error! It must be indicated at the end .conf. |
| Examples |
|
| Parameter | dns_strict |
| Meaning | true or false |
| By default | false |
| Description | Includes strict nftables k DNS-traffic rules. If you enable this mode, some rules related to DNSwill not be added to nftables. This will improve security and prevent abuse of the local DNSserver. But it can cause problems related to. DNS true - includes false - turns it off |
| Examples |
|
| Parameter | dns_strict_ns |
| Meaning | true or false |
| By default | false |
| Description | Includes strict nftables rules for DNSinternet traffic. If you enable this mode, the rules for allowing IP port 53 addresses (incoming and outgoing) that are specified in will not be added. /etc/resolv.conf This can trigger a problem with DNS. true - includes false - turns it off |
| Examples |
|
| Parameter | packet_filter |
| Meaning | true or false |
| By default | true |
| Description | Adds nftables packages that break the order to the filtering. It is not recommended to disable it! true - includes false - turns it off |
| Examples |
|
Default Action Policy
Specify the parameters for this section first [policy], and then specify the other parameters of this section. Example:
[policy]
default_allow_input = false
default_allow_output = false
default_allow_forward = false
| Parameter | default_allow_input |
| Meaning | true or false |
| By default | false |
| Description | Allow incoming traffic by default. true - includes false - turns it off |
| Examples |
|
| Parameter | default_allow_output |
| Meaning | true or false |
| By default | false |
| Description | Allow outgoing traffic by default. true - includes false - turns it off |
| Examples |
|
| Parameter | default_allow_forward |
| Meaning | true or false |
| By default | false |
| Description | Allow forward трафик by default. true - includes false - turns it off |
| Examples |
|
| Parameter | input_drop |
| Meaning | drop or reject |
| By default | drop |
| Description | How to block incoming traffic. drop - block silently reject - lock with feedback |
| Examples |
|
| Parameter | input_priority |
| Meaning | From -50 to 50 |
| By default | -10 |
| Description | Priority chain for input. |
| Examples |
|
| Parameter | output_drop |
| Meaning | drop or reject |
| By default | reject |
| Description | How to block outgoing traffic. drop - block silently reject - lock with feedback |
| Examples |
|
| Parameter | output_priority |
| Meaning | From -50 to 50 |
| By default | -10 |
| Description | Priority chain for output. |
| Examples |
|
| Parameter | forward_drop |
| Meaning | drop or reject |
| By default | drop |
| Description | How to block traffic forward. drop - block silently reject - lock with feedback |
| Examples |
|
| Parameter | forward_priority |
| Meaning | From -50 to 50 |
| By default | -10 |
| Description | Priority chain for forward. |
| Examples |
|
Port knocking
If you need to open a port, only after certain knocks on certain ports. Specify the parameters for this section first [[portKnocking]], and then specify the other parameters of this section.
| Parameter | [[portKnocking]] |
| Meaning | Specifying the settings groupPort knocking |
| By default | |
| Description |
This is a group of settings Port knocking. [[portKnocking]] You can specify an unlimited number of groups. |
| Examples |
Another example:
Another example:
|
Naming metadata
Specify the parameters for this section first [metadataNaming], and then specify the other parameters of this section. Example:
[metadataNaming]
table_name = "shield"
chain_input_name = "input"
chain_output_name = "output"
chain_forward_name = "forward"
| Parameter | table_name |
| Meaning | From 1 character to 32 characters The following characters are allowed: a-zA-Z0-9_- |
| By default | shield |
| Description | The name of the table in. nftables |
| Examples |
|
| *** | |
|---|---|
| Parameter | chain_input_name |
| Meaning | From 1 character to 32 characters The following characters are allowed: a-zA-Z0-9_- |
| By default | input |
| Description | The name of the chain for incoming traffic. |
| Examples |
|
| *** | |
| Parameter | chain_output_name |
| Meaning | From 1 character to 32 characters The following characters are allowed: a-zA-Z0-9_- |
| By default | output |
| Description | The name of the chain for outgoing traffic. |
| Examples |
|
| *** | |
| Parameter | chain_forward_name |
| Meaning | From 1 character to 32 characters The following characters are allowed: a-zA-Z0-9_- |
| By default | forward |
| Description | The name forward of the traffic chain. |
| Examples |
|