summaryrefslogtreecommitdiff
path: root/data/vyos-firewall-init.conf
diff options
context:
space:
mode:
Diffstat (limited to 'data/vyos-firewall-init.conf')
-rw-r--r--data/vyos-firewall-init.conf88
1 files changed, 15 insertions, 73 deletions
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index 41e7627f5..cd7d5011f 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -9,6 +9,7 @@ table ip nat {
}
table inet mangle {
+ # Used by system flow-accounting
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
@@ -19,61 +20,18 @@ table raw {
type filter hook forward priority -300; policy accept;
}
- chain PREROUTING {
- type filter hook prerouting priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_PREROUTING_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_OUTPUT_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
- ct helper set "rpc_tcp" tcp dport {111} return
- ct helper set "rpc_udp" udp dport {111} return
- ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
- return
- }
-
- chain VYOS_CT_IGNORE {
- return
- }
-
- chain VYOS_CT_TIMEOUT {
- return
- }
-
- chain VYOS_CT_PREROUTING_HOOK {
+ chain vyos_global_rpfilter {
return
}
- chain VYOS_CT_OUTPUT_HOOK {
- return
+ chain vyos_rpfilter {
+ type filter hook prerouting priority -300; policy accept;
+ counter jump vyos_global_rpfilter
}
- chain FW_CONNTRACK {
- return
+ # Used by system flow-accounting
+ chain VYOS_PREROUTING_HOOK {
+ type filter hook prerouting priority -300; policy accept;
}
}
@@ -82,33 +40,17 @@ table ip6 raw {
type filter hook forward priority -300; policy accept;
}
- chain vyos_rpfilter {
- type filter hook prerouting priority -300; policy accept;
- }
-
- chain PREROUTING {
- type filter hook prerouting priority -300; policy accept;
- counter jump VYOS_CT_PREROUTING_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
- counter jump VYOS_CT_OUTPUT_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain VYOS_CT_PREROUTING_HOOK {
+ chain vyos_global_rpfilter {
return
}
- chain VYOS_CT_OUTPUT_HOOK {
- return
+ chain vyos_rpfilter {
+ type filter hook prerouting priority -300; policy accept;
+ counter jump vyos_global_rpfilter
}
- chain FW_CONNTRACK {
- return
+ # Used by system flow-accounting
+ chain VYOS_PREROUTING_HOOK {
+ type filter hook prerouting priority -300; policy accept;
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-02 19:52:47 +0000