BaconHairCowboy
BaconHairCowboy5d ago

Firewalls

Ok so idk what to write for the title, I just have some questions related to firewalls. I have been developing a frontend for nftables, much like UFW and firewalld, in order to teach myself about cyber security. I want this tool to be helpful in what rules and policies to make. My questions are, how would I make this tool more like firewalld which is a daemon doing dynamic packet filtering? How would I make this tool more useful than just a frontend cli for ease of setting up a table in nftables? Secondly, what guides are there that specifically outline what rules that are useful to have in a firewall, and I mean in detail, specific rules, for example, "drop all icmp packets" and reasons to apply these rules, etc? Anything is helpful. Thanks
4 Replies
『 Yos✞eph 』
『 Yos✞eph 』4d ago
for the ' what guides are there that specifically outline what rules that are useful to have in a firewall, and I mean in detail, specific rules, for example, "drop all icmp packets" and reasons to apply these rules, etc?' part these links should be of use: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
BaconHairCowboy
BaconHairCowboyOP4d ago
thanks! this is really helpful gotta give these a read
smartest guys in the guninvalid
smartest guys in the guninvalid3d ago
ive had a lot of success using pfsense firewalls unfortunately i don't have experience with nftables so I can't help you there directly, but you can probably learn a lot from the manpage, almost anything you could want to do is probably in there somewhere so id say go through and look for whatever you're looking for, if it's hard to read, google (or chatgpt :blobnauseated:) will take good care of it as for useful functionality, it depends a lot on your use case, but if the firewall is meant to connect to your wider internet, it's usually a good idea to just block all incoming traffic now if you're doing a more interesting network that needs to be able to serve HTTP(S) and DNS and POP3 or whatever the fuck, then you have a much more interesting situation, but you can get to that when you get to that :)
BaconHairCowboy
BaconHairCowboyOP3d ago
ye makes sense, thanks for the help👍

Did you find this page helpful?