Ich hab nun firewalld rausgeschmissen und bin auf die Basics zurück, pures nftables unter Debian 12.
Allerdings habe ich hier wohl auch noch einen Fehler in der Konfiguration (aus den nftables Examples entnommen).
Code
#!/usr/sbin/nft -f
flush ruleset
table inet firewall {
chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
icmp type echo-request limit rate 5/second accept
}
chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
#
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
icmpv6 type echo-request limit rate 5/second accept
}
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback traffic.
iifname lo accept
# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
# Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
# for IPv4 and IPv6.
tcp dport { 22, 80, 443} accept
# Uncomment to enable logging of denied inbound traffic
# log prefix "[nftables] Inbound Denied: " counter drop
}
chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}
# no need to define output chain, default policy is accept if undefined.
}
Alles anzeigen
Die Konfiguration wird erfolgreich geladen
Code
nft list table inet firewall
table inet firewall {
chain inbound_ipv4 {
icmp type echo-request limit rate 5/second accept
}
chain inbound_ipv6 {
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
icmpv6 type echo-request limit rate 5/second accept
}
chain inbound {
type filter hook input priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept }
iifname "lo" accept
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
tcp dport { 22, 80, 443 } accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}
Alles anzeigen
Allerdings habe ich noch das Problem, dass eine Verbindung auf 51820/UDP nicht abgelehnt wird.
Die Policy für inbound ist drop, daher verstehe ich nicht warum die Verbindung trotzdem erlaubt wird.