forked from google/capirca
-
Notifications
You must be signed in to change notification settings - Fork 1
/
sample_nftables-dev.pol
42 lines (36 loc) · 1000 Bytes
/
sample_nftables-dev.pol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#
# NFTables generator policy example.
# Intended to render ICMP terms for both IPv4 and IPv6 families.
#
header {
comment:: "This policy validates handling of term.option tcp-established."
comment:: "and UDP 'established'"
target:: nftables inet6 INPUT
}
term accept-webserver-traffic {
comment:: "Allow webserver inbound traffic."
destination-address:: WEB_SERVERS
destination-port:: WEB_SERVICES
protocol:: tcp
action:: accept
}
term test-tcp-established {
comment:: "Allow tcp-established traffic."
destination-address:: MAIL_SERVERS WEB_SERVERS PUBLIC_NAT
protocol:: tcp udp
action:: accept
}
term permit-tcp-replies {
option:: tcp-established
action:: accept
}
term test-dns-replies {
comment:: "Allow DNS replies, and test udp established option."
comment:: "This should not be generated since this is a stateful policy."
source-port:: DNS
destination-address:: INTERNAL
protocol:: udp
logging:: syslog
counter:: dns-counter
action:: accept
}