Firewall nftables settings (firewall.toml)

By default, the settings from the firewall are located here:

/etc/kor-elf-shield/firewall.toml

The path to these settings can be changed in the main settings and can be found here (firewall parameter).

A copy of the full settings file is here.

There are several sections in this file:

Port Settings
IPv4 Settings
IPv6 Settings
General settings
Default Action Policy
Naming metadata

Port Settings

These settings should be located at the beginning of the file before the sections: "IPv4 Settings", "IPv6 Settings", "General Settings", "Default Action Policy", "Metadata naming".

***
Parameter	[[ports]]
Meaning	We specify a group of port settings
By default
Description	This is a group of port settings. [[ports]] you can specify an unlimited number of groups. [[ports]] numbers - Port numbers (required field) directions - Incoming (in), outgoing (out) traffic (required field) protocols - Protocol: tcp, udp (required field) action - Action: accept, drop, or reject (required field) limit_rate - Specify restrictions if necessary (optional field) numbers - you can specify one or more ports, but the rules will be created separately for each port. directions - if we specify in and out, then each rule is created separately in its own chain. protocols - if tcp and udp are specified, then each rule is created separately for each protocol. action: accept - allow drop - block silently reject - blocking with feedback limit_rate - set it according to the nftables documentation (limit rate).
Examples	`[[ports]] numbers = [22] directions = ["in", "out"] protocols = ["tcp"] action = "accept" [[ports]] numbers = [80,443] directions = ["in", "out"] protocols = ["tcp"] action = "accept" [[ports]] numbers = [53] directions = ["in", "out"] protocols = ["tcp", "udp"] action = "accept"` Another example: `[[ports]] numbers = [22] directions = ["in", "out"] protocols = ["tcp"] action = "accept"` Another example: `[[ports]] numbers = [22] directions = ["in"] protocols = ["tcp"] action = "drop" [[ports]] numbers = [22] directions = ["out"] protocols = ["tcp"] action = "accept" [[ports]] numbers = [80,443] directions = ["in", "out"] protocols = ["tcp"] action = "accept" limit_rate = "10/second"`
Parameter	[[ips]]
Meaning	We specify a group of IP address settings
By default
Description	Specify the IP addresses to allow or prohibit. [[ips]] an unlimited number of groups can be specified. [[ips]] ips - List of IP addresses (required field) directions - Incoming (in), outgoing (out) traffic (required field) action - Action: accept, drop, or reject (required field) ports - Port numbers (optional field) protocols - Protocol: tcp, udp (optional field) limit_rate - Specify restrictions if necessary (optional field) ips - you can specify one or more IP addresses, but the rules will be created separately for each address. ports - you can specify one or more ports, but the rules will be created separately for each port. directions - if we specify in and out, then each rule is created separately in its own chain. protocols - if tcp and udp are specified, then each rule is created separately for each protocol. Attention: If protocols is not specified, but ports is specified, then the rules will be added with the TCP protocol. protocols works together with ports. If protocols is specified but ports is not, then a rule will be added without taking these fields into account. action: accept - allow drop - block silently reject - blocking with feedback limit_rate - set it according to the nftables documentation (limit rate).
Examples	`[[ips]] ips = ["192.168.1.1", "fe80::260:8ff:fe52:f9d8"] action = "accept" directions = ["in", "out"] protocols = ["tcp", "udp"] ports = ["80"] limit_rate = "10/second" [[ips]] ips = ["192.168.1.2"] action = "drop" directions = ["in"]` Another example: `[[ips]] ips = ["192.168.1.2"] action = "drop" directions = ["in"]`

IPv4 Settings

To specify the parameters for this section, you must first specify [ip4], and then specify the other parameters of this section. Example:

[ip4]
icmp_in = true
icmp_in_rate = "1/second"
icmp_out = true

***
Parameter	icmp_in
Meaning	true or false
By default	true
Description	Allow incoming PING. Disabling PING may disrupt external monitoring. true - includes false - turns it off
Examples	`icmp_in = true` `icmp_in = false`
Parameter	icmp_in_rate
Meaning	Set limits on the number of simultaneous packets per second.
By default	1/second
Description	Set limits on the number of simultaneous incoming packets per second. If the number of packets exceeds the specified period, the remaining packets will be discarded. If you notice unwanted losses, increase the value or disable it. To disable the speed limit, set the value to "0", otherwise set it according to the nftables (limit rate) documentation. For example, "1/second" will limit transmission to one packet per second.
Examples	`icmp_in_rate = "1/second"` `icmp_in_rate = "0"` `icmp_in_rate = "3/second"`
***
Parameter	icmp_out
Meaning	true or false
By default	true
Description	Allow outgoing PING. If there are no special reasons, it is better not to disable it, otherwise it may disrupt the OS. true - includes false - turns it off
Examples	`icmp_out = true` `icmp_out = false`
***
Parameter	icmp_out_rate
Meaning	Set limits on the number of simultaneous packets per second.
By default	0
Description	Set limits on the number of simultaneous outgoing packets per second. If the number of packets exceeds the specified period, the remaining packets will be discarded. If there are no special reasons, it is better not to include restrictions, otherwise it may disrupt the OS. To disable the speed limit, set the value to "0", otherwise set it according to the nftables (limit rate) documentation. For example, "1/second" will limit transmission to one packet per second.
Examples	`icmp_out_rate = "1/second"` `icmp_out_rate = "0"` `icmp_out_rate = "3/second"`
***
Parameter	icmp_timestamp_drop
Meaning	true or false
By default	false
Description	Block ICMP timestamp requests. In fact, there is almost no real threat, but sometimes IT auditors insist on blocking ICMP timestamp requests. true - includes false - turns it off
Examples	`icmp_timestamp_drop = true` `icmp_timestamp_drop = false`

IP6 Settings

To specify the parameters for this section, you must first specify [ip6], and then specify the remaining parameters of this section. Example:

[ip6]
enable = true
icmp_strict = false

***
Parameter	enable
Meaning	true or false
By default	false
Description	Enables IPv6 support. If IPv6 is disabled, all IPv6-related settings will be ignored. true - includes false - turns it off
Examples	`enable = true` `enable = false`
Parameter	icmp_strict
Meaning	true or false
By default	false
Description	IPv6 actively uses ICMPV6 packets, so ICMPV6 strict mode is disabled by default. However, this may increase the risk of attacks on ICMPV6. You can enable strict mode, but this may cause problems with some types of connections. true - includes false - turns it off
Examples	`icmp_strict = true` `icmp_strict = false`

General settings

To specify the parameters for this section, you must first specify [options], and then specify the remaining parameters of this section. Example:

[options]
saves_rules = false
saves_rules_path = "/etc/nftables.conf"
dns_strict = false

***
Parameter	saves_rules
Meaning	true or false
By default	false
Description	Will the daemon save the rules to the nftables system file? Don't forget to check that the path to nftables matches your OS. If you do not save the rules to the nftables system file, then after restarting the nftables program (for example, after updating) all the rules will be erased. Nevertheless, by default, we decided to disable automatic saving of rules to the nftables system file, because we first need to make sure that the saves_rules_path parameter points to the correct file. true - includes false - turns it off
Examples	`saves_rules = true` `saves_rules = false`
Parameter	saves_rules_path
Meaning	Specify the path to the file
By default	/etc/nftables.conf
Description	The path where the rules for nftables will be saved. Specify the path that corresponds to your OS. The path must be absolute. The relative path will cause an error! It is mandatory to specify .conf at the end.
Examples	`saves_rules_path = "/etc/nftables.conf"`
***
Parameter	dns_strict
Meaning	true or false
By default	false
Description	Enables strict nftables rules for DNS traffic. If you enable this mode, some DNS-related rules will not be added to nftables. This will improve security and prevent abuse of the local DNS server. But it can cause problems related to DNS. true - includes false - turns it off
Examples	`dns_strict = true` `dns_strict = false`
***
Parameter	dns_strict_ns
Meaning	true or false
By default	false
Description	Enables strict nftables rules for DNS traffic. If you enable this mode, the rules allowing port 53 IP addresses (incoming and outgoing), which are specified in /etc/resolv.conf, will not be added. This may cause a DNS problem. true - includes false - turns it off
Examples	`dns_strict_ns = true` `dns_strict_ns = false`
***
Parameter	packet_filter
Meaning	true or false
By default	true
Description	Adds packet filtering to nftables that breaks the order. It is not recommended to disable it! true - includes false - turns it off
Examples	`packet_filter = true` `packet_filter = false`

Default Action Policy

To specify the parameters for this section, you must first specify [policy], and then specify the remaining parameters of this section. Example:

[policy]
default_allow_input = false
default_allow_output = false
default_allow_forward = false

***
Parameter	default_allow_input
Meaning	true or false
By default	false
Description	Allow incoming traffic by default. true - includes false - turns it off
Examples	`default_allow_input = true` `default_allow_input = false`
Parameter	default_allow_output
Meaning	true or false
By default	false
Description	Allow outgoing traffic by default. true - includes false - turns it off
Examples	`default_allow_output = true` `default_allow_output = false`
***
Parameter	default_allow_forward
Meaning	true or false
By default	false
Description	Allow forward traffic by default. true - includes false - turns it off
Examples	`default_allow_forward = true` `default_allow_forward = false`
***
Parameter	input_drop
Meaning	drop or reject
By default	drop
Description	How to block incoming traffic. drop - block silently reject - blocking with feedback
Examples	`input_drop = "drop"` `input_drop = "reject"`
***
Parameter	output_drop
Meaning	drop or reject
By default	reject
Description	How to block outgoing traffic. drop - block silently reject - blocking with feedback
Examples	`output_drop = "drop"` `output_drop = "reject"`
***
Parameter	forward_drop
Meaning	drop or reject
By default	drop
Description	How to block forward traffic. drop - block silently reject - blocking with feedback
Examples	`forward_drop = "drop"` `forward_drop = "reject"`

Naming metadata

To specify the parameters for this section, you must first specify [metadataNaming], and then specify the remaining parameters of this section. Example:

[metadataNaming]
table_name = "shield"
chain_input_name = "input"
chain_output_name = "output"
chain_forward_name = "forward"

***
Parameter	table_name
Meaning	From 1 character to 32 characters Characters allowed: a-zA-Z0-9_-
By default	shield
Description	The name of the table in nftables.
Examples	`table_name = "shield"`
Parameter	chain_input_name
Meaning	From 1 character to 32 characters Characters allowed: a-zA-Z0-9_-
By default	input
Description	The name of the chain for incoming traffic.
Examples	`chain_input_name = "input"`
***
Parameter	chain_output_name
Meaning	From 1 character to 32 characters Characters allowed: a-zA-Z0-9_-
By default	output
Description	The name of the chain for outgoing traffic.
Examples	`chain_output_name = "output"`
***
Parameter	chain_forward_name
Meaning	From 1 character to 32 characters Characters allowed: a-zA-Z0-9_-
By default	forward
Description	The name of the chain for forward traffic.
Examples	`chain_forward_name = "forward"`