Firewall nftables settings (firewall.toml)

By default, the settings from the firewall are located here:

/etc/kor-elf-shield/firewall.toml

The path to these settings can be changed in the main settings and can be found here (parameter firewall).

A copy of the full settings file is here.

There are several sections in this file:


Port Settings

These settings should be located at the beginning of the file before the sections: "Settings IPv4", "Settings IPv6", "General Settings", "Default Action Policy", "Metadata naming".

Parameter [[ports]]
Meaning We specify a group of port settings
By default  
Description This is a group of port settings. [[ports]] You can specify an unlimited number of groups.

[[ports]]
numbers - Port numbers (required field)
directions - Incoming (in), outgoing traffic (out) (required field)
protocols - Protocol: tcp, udp (required field)
action - Action: accept, drop or reject (required field)
limit_rate - Specify restrictions if necessary (optional field)

numbers - you can specify one or more ports, but the rules will be created separately for each port.
directions - if we specify in and out, then each rule is created separately in its own chain.
protocols - if and is specified tcp udp, then each rule is created separately for each protocol.

action:
accept - allow
drop  - block silently
reject  - lock with feedback

limit_rate - install it according to the documentation nftables(limit rate).
Examples
[[ports]]
numbers = [22]
directions = ["in", "out"]
protocols = ["tcp"]
action = "accept"

[[ports]]
numbers = [80,443]
directions = ["in", "out"]
protocols = ["tcp"]
action = "accept"

[[ports]]
numbers = [53]
directions = ["in", "out"]
protocols = ["tcp", "udp"]
action = "accept"
Another example:
[[ports]]
numbers = [22]
directions = ["in", "out"]
protocols = ["tcp"]
action = "accept"
Another example:
[[ports]]
numbers = [22]
directions = ["in"]
protocols = ["tcp"]
action = "drop"

[[ports]]
numbers = [22]
directions = ["out"]
protocols = ["tcp"]
action = "accept"

[[ports]]
numbers = [80,443]
directions = ["in", "out"]
protocols = ["tcp"]
action = "accept"
limit_rate = "10/second"
***
Parameter [[ips]]
Meaning We specify a group of IP address settings
By default  
Description

We specify IP the addresses that should be allowed or prohibited. [[ips]] You can specify an unlimited number of groups.

[[ips]]
ips - List of IP addresses (required field)
directions - Incoming (in)and outgoing traffic (out) (required field)
action -
Action: accept, drop or reject (required field)
ports - Port numbers (optional field)
protocols - Protocol: tcp, udp (optional field)
limit_rate - Specify restrictions if necessary (optional field)

ips - you can specify one or more IP addresses, but the rules will be created separately for each address.
ports - you can specify one or more ports, but the rules will be created separately for each port.
directions - if we specify in and out, then each rule is created separately in its own chain.
protocols - if and is specified tcp udp, then each rule is created separately for each protocol.

Attention:
If protocols not specified, but specified ports, the rules will be added with the protocol TCP. protocols works together with ports If protocols it is specified, but ports not, then a rule will be added without taking these fields into account.

action:
accept - allow
drop - block silently
reject - lock with feedback

limit_rate - install it according to the documentation nftables (limit rate).

Examples
[[ips]]
ips = ["192.168.1.1", "fe80::260:8ff:fe52:f9d8"]
action = "accept"
directions = ["in", "out"]
protocols = ["tcp", "udp"]
ports = ["80"]
limit_rate = "10/second"

[[ips]]
ips = ["192.168.1.2"]
action = "drop"
directions = ["in"]
Another example:
[[ips]]
ips = ["192.168.1.2"]
action = "drop"
directions = ["in"]

Settings IPv4

Specify the parameters for this section first [ip4], and then specify the other parameters of this section. Example:

[ip4]
icmp_in = true
icmp_in_rate = "1/second"
icmp_out = true
Parameter icmp_in
Meaning true or false
By default true
Description Allow incoming PING. Disabling PING it may disrupt the operation of external monitoring.
true  - includes
false - turns it off
Examples
icmp_in = true
icmp_in = false
***
Parameter icmp_in_rate
Meaning Set limits on the number of simultaneous packets per second.
By default 1/second
Description Set limits on the number of simultaneous incoming packets per second. If the number of packets exceeds the specified period, the remaining packets will be discarded. If you notice unwanted losses, increase the value or disable it.

To disable the speed limit, set the value to "0", otherwise set it according to the documentation nftables (limit rate). For example, «1/second»it will limit transmission to one packet per second.
Examples
icmp_in_rate = "1/second"
icmp_in_rate = "0"
icmp_in_rate = "3/second"
***
Parameter icmp_out
Meaning true or false
By default true
Description Allow outgoing PING. If there are no special reasons, it is better not to disable it, otherwise it may disrupt the OS.
true - includes
false - turns it off
Examples
icmp_out = true
icmp_out = false
***
Parameter icmp_out_rate
Meaning Set limits on the number of simultaneous packets per second.
By default 0
Description Set limits on the number of simultaneous outgoing packets per second. If the number of packets exceeds the specified period, the remaining packets will be discarded. If there are no special reasons, it is better not to include restrictions, otherwise it may disrupt the OS.

To disable the speed limit, set the value to "0", otherwise set it according to the documentation nftables (limit rate). For example, «1/second»it will limit transmission to one packet per second.
Examples
icmp_out_rate = "1/second"
icmp_out_rate = "0"
icmp_out_rate = "3/second"
***
Parameter icmp_timestamp_drop
Meaning true or false
By default false
Description Block ICMP timestamprequests. In fact, there is almost no real threat, but sometimes IT auditors insist on blocking ICMP timestamprequests.
true  - includes
false - turns it off
Examples
icmp_timestamp_drop = true
icmp_timestamp_drop = false

Settings IP6

Specify the parameters for this section first [ip6], and then specify the other parameters of this section. Example:

[ip6]
enable = true
icmp_strict = false
Parameter enable
Meaning true or false
By default false
Description Enables support IPv6. If IPv6 turned off, all settings related to IPv6 will be ignored.
true  - includes
false - turns it off
Examples
enable = true
enable = false
***
Parameter icmp_strict
Meaning true or false
By default false
Description IPv6 It actively uses packages ICMPV6, so strict mode ICMPV6 is disabled by default. However, this may increase the risk of attacks on ICMPV6. You can enable strict mode, but this may cause problems with some types of connections.
true  - includes
false - turns it off
Examples
icmp_strict = true
icmp_strict = false

General settings

Specify the parameters for this section first [options], and then specify the other parameters of this section. Example:

[options]
cache = true
clear_mode = "global"
saves_rules = false
saves_rules_path = "/etc/nftables.conf"
dns_strict = false
dns_strict_ns = false
packet_filter = true
Parameter cache
Meaning true or false
By default true
Description Enables caching to avoid constantly compiling commands nftables into a temporary file. The cache file changes after changing the settings or updating the program version.
true  - includes
false - turns it off
Examples
cache = true
cache = false
Parameter clear_mode
Meaning global or own
By default global
Description

Switching the firewall cleaning mode nftables. If you specify "own", there may be a conflict in the rules. It can cause a security problem. Please indicate "own" if you are confident in your actions.

global - clears all the rules completely
own - clears only the rules from the table that are specified in the parameter table_name

Examples
clear_mode = global
clear_mode = own
Parameter saves_rules
Meaning true or false
By default false
Description Will the daemon save the rules to a system file nftables? Don't forget to check that the path to nftables matches your OS. If you do not save the rules to the system file nftables, then after restarting the program nftables (for example, after updating) all the rules will be erased. Nevertheless, by default, we decided to disable automatic saving of rules to the system file nftables, because we first need to make sure that the parameter saves_rules_path points to the correct file.
true  - includes
false - turns it off
Examples
saves_rules = true
saves_rules = false
Parameter saves_rules_path
Meaning Specifying the path to the file
By default /etc/nftables.conf
Description The path where the rules for will be saved nftables. Specify the path that corresponds to your OS. The path must be absolute. The relative path will cause an error! It must be indicated at the end .conf.
Examples
saves_rules_path = "/etc/nftables.conf"
Parameter dns_strict
Meaning true or false
By default false
Description Includes strict nftables k DNS-traffic rules. If you enable this mode, some rules related to DNSwill not be added to nftables. This will improve security and prevent abuse of the local DNSserver. But it can cause problems related to. DNS
true  - includes
false - turns it off
Examples
dns_strict = true
dns_strict = false
Parameter dns_strict_ns
Meaning true or false
By default false
Description Includes strict nftables rules for DNSinternet traffic. If you enable this mode, the rules for allowing IP port 53 addresses (incoming and outgoing) that are specified in will not be added. /etc/resolv.conf This can trigger a problem with DNS.
true  - includes
false - turns it off
Examples
dns_strict_ns = true
dns_strict_ns = false
Parameter packet_filter
Meaning true or false
By default true
Description Adds nftables packages that break the order to the filtering. It is not recommended to disable it!
true  - includes
false - turns it off
Examples
packet_filter = true
packet_filter = false

Default Action Policy

Specify the parameters for this section first [policy], and then specify the other parameters of this section. Example:

[policy]
default_allow_input = false
default_allow_output = false
default_allow_forward = false
Parameter default_allow_input
Meaning true or false
By default false
Description Allow incoming traffic by default.
true  - includes
false - turns it off
Examples
default_allow_input = true
default_allow_input = false
Parameter default_allow_output
Meaning true or false
By default false
Description Allow outgoing traffic by default.
true  - includes
false - turns it off
Examples
default_allow_output = true
default_allow_output = false
Parameter default_allow_forward
Meaning true or false
By default false
Description Allow forward трафик by default.
true  - includes
false - turns it off
Examples
default_allow_forward = true
default_allow_forward = false
Parameter input_drop
Meaning drop or reject
By default drop
Description How to block incoming traffic.
drop  - block silently
reject - lock with feedback
Examples
input_drop = "drop"
input_drop = "reject"
Parameter input_priority
Meaning From -50 to 50 
By default -10
Description Priority chain for input.
Examples
input_priority = -10
input_priority = 0
Parameter output_drop
Meaning drop or reject
By default reject
Description How to block outgoing traffic.
drop  - block silently
reject - lock with feedback
Examples
output_drop = "drop"
output_drop = "reject"
Parameter output_priority
Meaning From -50 to 50 
By default -10
Description Priority chain for output.
Examples
output_priority = -10
output_priority = 0
Parameter forward_drop
Meaning drop or reject
By default drop
Description How to block traffic forward.
drop  - block silently
reject - lock with feedback
Examples
forward_drop = "drop"
forward_drop = "reject"
Parameter forward_priority
Meaning From -50 to 50 
By default -10
Description Priority chain for forward.
Examples
forward_priority = -10
forward_priority = 0

Port knocking

If you need to open a port, only after certain knocks on certain ports. Specify the parameters for this section first [[portKnocking]], and then specify the other parameters of this section.

Parameter [[portKnocking]]
Meaning Specifying the settings groupPort knocking
By default  
Description

This is a group of settings Port knocking. [[portKnocking]] You can specify an unlimited number of groups.

[[portKnocking]]
name -
The name must be unique and characters are allowed.: a-z, A-Z, -, _
port - The port number that needs to be opened after all knocks
protocol - Protocol: tcpudp
ip_version - Version IP: ip4,ip6
[[portKnocking.knock]]
- knock
port - Knock port
protocol - Knock protocol: tcp, udp
timeout
- The time in seconds for which the knock works
action - During a knock, which answer should I give: accept, return, drop or reject

Examples
[[portKnocking]]
name = "ssh"
port = 22
protocol = "tcp"
ip_version = "ip4"
[[portKnocking.knock]]
port = 2222
protocol = "tcp"
timeout = 30
action = "drop"
[[portKnocking.knock]]
port = 2225
protocol = "tcp"
timeout = 30
action = "drop"

[[portKnocking]]
name = "ftp"
port = 21
protocol = "tcp"
ip_version = "ip4"
[[portKnocking.knock]]
port = 2121
protocol = "tcp"
timeout = 30
action = "drop"
Another example:
[[portKnocking]]
name = "ssh"
port = 22
protocol = "tcp"
ip_version = "ip4"
[[portKnocking.knock]]
port = 2222
protocol = "tcp"
timeout = 10
action = "drop"
Another example:
[[portKnocking]]
name = "ssh"
port = 22
protocol = "tcp"
ip_version = "ip4"
[[portKnocking.knock]]
port = 2222
protocol = "tcp"
timeout = 30
action = "drop"
[[portKnocking.knock]]
port = 2225
protocol = "tcp"
timeout = 30
action = "drop"

[[portKnocking]]
name = "ftp"
port = 21
protocol = "tcp"
ip_version = "ip4"
[[portKnocking.knock]]
port = 2121
protocol = "tcp"
timeout = 30
action = "drop"
[[portKnocking.knock]]
port = 2122
protocol = "tcp"
timeout = 30
action = "drop"
[[portKnocking.knock]]
port = 2221
protocol = "tcp"
timeout = 30
action = "drop"

Naming metadata

Specify the parameters for this section first [metadataNaming], and then specify the other parameters of this section. Example:

[metadataNaming]
table_name = "shield"
chain_input_name = "input"
chain_output_name = "output"
chain_forward_name = "forward"
Parameter table_name
Meaning From 1 character to 32 characters
The following characters are allowed: a-zA-Z0-9_-
By default shield
Description The name of the table in. nftables
Examples
table_name = "shield"
***
Parameter chain_input_name
Meaning From 1 character to 32 characters
The following characters are allowed: a-zA-Z0-9_-
By default input
Description The name of the chain for incoming traffic.
Examples
chain_input_name = "input"
***
Parameter chain_output_name
Meaning From 1 character to 32 characters
The following characters are allowed: a-zA-Z0-9_-
By default output
Description The name of the chain for outgoing traffic.
Examples
chain_output_name = "output"
***
Parameter chain_forward_name
Meaning From 1 character to 32 characters
The following characters are allowed: a-zA-Z0-9_-
By default forward
Description The name forward of the traffic chain.
Examples
chain_forward_name = "forward"