From c42eaa59e3e6deeff9505b420d8e8d4495a92677 Mon Sep 17 00:00:00 2001 From: Sven Putze Date: Fri, 28 Feb 2020 21:31:19 +0100 Subject: [PATCH 1/3] Includes extra file with possible custom firewall rules. This way users can add their own rules by hand or maybe later with a gui tool without fearing that their changes will be overwritten by future updates of the nftable or a TridentOS package. This extra file must still be included in the installer. --- void-files/etc/firewall-conf/custom-inbound.conf | 12 ++++++++++++ void-files/etc/firewall-conf/open-out.conf | 2 ++ 2 files changed, 14 insertions(+) create mode 100644 void-files/etc/firewall-conf/custom-inbound.conf diff --git a/void-files/etc/firewall-conf/custom-inbound.conf b/void-files/etc/firewall-conf/custom-inbound.conf new file mode 100644 index 0000000..7c8bddf --- /dev/null +++ b/void-files/etc/firewall-conf/custom-inbound.conf @@ -0,0 +1,12 @@ +# custom nftables ruleset +# This file is included from /etc/firewall-conf/open-out.conf +# and contains custom firewall rules for inbound traffic +# rules can be added manually or by gui tools +# Maintained by Project Trident: https://project-trident.org + +# uncomment to allow inbound ssh connections +#add rule inet filter input tcp dport 22 accept + +# uncomment to allow inbound syncthing connections +#add rule inet filter input tcp dport 22000 accept +#add rule inet filter input udp dport 21027 accept diff --git a/void-files/etc/firewall-conf/open-out.conf b/void-files/etc/firewall-conf/open-out.conf index d42c0e5..dbf88b4 100644 --- a/void-files/etc/firewall-conf/open-out.conf +++ b/void-files/etc/firewall-conf/open-out.conf @@ -15,5 +15,7 @@ add rule inet filter input iif lo accept add rule inet filter input ct state established,related accept # IPv6 neighbor discovery add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept +# include file with custum inbound rules +include custom-inbound.conf # drop all other packets add rule inet filter input counter drop From de18c70cefd57819c1581bf076d6a1707f4f4084 Mon Sep 17 00:00:00 2001 From: Sven Putze Date: Sat, 29 Feb 2020 15:40:48 +0100 Subject: [PATCH 2/3] Update void-files/etc/firewall-conf/open-out.conf Co-Authored-By: Ken Moore --- void-files/etc/firewall-conf/open-out.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/void-files/etc/firewall-conf/open-out.conf b/void-files/etc/firewall-conf/open-out.conf index dbf88b4..e08fbda 100644 --- a/void-files/etc/firewall-conf/open-out.conf +++ b/void-files/etc/firewall-conf/open-out.conf @@ -16,6 +16,6 @@ add rule inet filter input ct state established,related accept # IPv6 neighbor discovery add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept # include file with custum inbound rules -include custom-inbound.conf +include custom-*.conf # drop all other packets add rule inet filter input counter drop From f48f1ae4dc77b8bdbd3dfd078428b669823f1624 Mon Sep 17 00:00:00 2001 From: Sven Putze Date: Sat, 29 Feb 2020 16:00:29 +0100 Subject: [PATCH 3/3] changed file name so that it can be copied during install without overwriting user changes. --- .../{custom-inbound.conf => custom-input.conf.sample} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename void-files/etc/firewall-conf/{custom-inbound.conf => custom-input.conf.sample} (100%) diff --git a/void-files/etc/firewall-conf/custom-inbound.conf b/void-files/etc/firewall-conf/custom-input.conf.sample similarity index 100% rename from void-files/etc/firewall-conf/custom-inbound.conf rename to void-files/etc/firewall-conf/custom-input.conf.sample