diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-08-30 17:05:22 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-09-13 11:59:11 +0200 |
| commit | 31587975258a7ca8158ae6b7c490ac5e0ae4dd71 (patch) | |
| tree | 5f2cf187eced90478122525698b9a12477cb2620 /data/templates | |
| parent | 450ca9a9b46d69036af432ddad316d4ddb126085 (diff) | |
| download | vyos-1x-31587975258a7ca8158ae6b7c490ac5e0ae4dd71.tar.gz vyos-1x-31587975258a7ca8158ae6b7c490ac5e0ae4dd71.zip | |
firewall: T2199: Move initial firewall tables to data
Diffstat (limited to 'data/templates')
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 163 |
1 files changed, 0 insertions, 163 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 3beb7fb92..be9ff3a82 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -213,166 +213,3 @@ table ip6 filter { include "{{ zone6_conf }}" {% endif %} } - -{% if first_install is vyos_defined %} -table ip nat { - chain PREROUTING { - type nat hook prerouting priority -100; policy accept; - counter jump VYOS_PRE_DNAT_HOOK - } - - chain POSTROUTING { - type nat hook postrouting priority 100; policy accept; - counter jump VYOS_PRE_SNAT_HOOK - } - - chain VYOS_PRE_DNAT_HOOK { - return - } - - chain VYOS_PRE_SNAT_HOOK { - return - } -} - -table ip vyos_static_nat { - chain PREROUTING { - type nat hook prerouting priority -100; policy accept; - counter jump VYOS_PRE_DNAT_HOOK - } - - chain POSTROUTING { - type nat hook postrouting priority 100; policy accept; - counter jump VYOS_PRE_SNAT_HOOK - } - - chain VYOS_PRE_DNAT_HOOK { - return - } - - chain VYOS_PRE_SNAT_HOOK { - return - } -} - -table ip6 nat { - chain PREROUTING { - type nat hook prerouting priority -100; policy accept; - counter jump VYOS_DNPT_HOOK - } - - chain POSTROUTING { - type nat hook postrouting priority 100; policy accept; - counter jump VYOS_SNPT_HOOK - } - - chain VYOS_DNPT_HOOK { - return - } - - chain VYOS_SNPT_HOOK { - return - } -} - -table inet mangle { - chain FORWARD { - type filter hook forward priority -150; policy accept; - } -} - -table raw { - chain VYOS_TCP_MSS { - type filter hook forward priority -300; policy accept; - } - - chain PREROUTING { - type filter hook prerouting priority -200; policy accept; - counter jump VYOS_CT_IGNORE - counter jump VYOS_CT_TIMEOUT - counter jump VYOS_CT_PREROUTING_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain OUTPUT { - type filter hook output priority -200; policy accept; - counter jump VYOS_CT_IGNORE - counter jump VYOS_CT_TIMEOUT - counter jump VYOS_CT_OUTPUT_HOOK - counter jump FW_CONNTRACK - notrack - } - - ct helper rpc_tcp { - type "rpc" protocol tcp; - } - - ct helper rpc_udp { - type "rpc" protocol udp; - } - - ct helper tns_tcp { - type "tns" protocol tcp; - } - - chain VYOS_CT_HELPER { - ct helper set "rpc_tcp" tcp dport {111} return - ct helper set "rpc_udp" udp dport {111} return - ct helper set "tns_tcp" tcp dport {1521,1525,1536} return - return - } - - chain VYOS_CT_IGNORE { - return - } - - chain VYOS_CT_TIMEOUT { - return - } - - chain VYOS_CT_PREROUTING_HOOK { - return - } - - chain VYOS_CT_OUTPUT_HOOK { - return - } - - chain FW_CONNTRACK { - accept - } -} - -table ip6 raw { - chain VYOS_TCP_MSS { - type filter hook forward priority -300; policy accept; - } - - chain PREROUTING { - type filter hook prerouting priority -300; policy accept; - counter jump VYOS_CT_PREROUTING_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain OUTPUT { - type filter hook output priority -300; policy accept; - counter jump VYOS_CT_OUTPUT_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain VYOS_CT_PREROUTING_HOOK { - return - } - - chain VYOS_CT_OUTPUT_HOOK { - return - } - - chain FW_CONNTRACK { - accept - } -} -{% endif %} |