## homemade_firewall My own hand-made firewall learning project with nftables. ### License This program is licensed under the Affero GNU Public License v3, you can read the copy that comes along with this program or read it at [gnu.org](https://gnu.org)'s website ### Dependencies The following is needed to setup this firewall: * nftables * make * support for nftables, forwarding and conntrack in kernel And the following to run the optional makeconf.sh script: * bash version 4+ Because it makes use of bash arrays and integer variables introduced from that version onwards. ### Usage To use this firewall, you must first change the `.nft` files to suit your setup. Once you're satisfied, run: `make makeconf` to generate your nftables.conf. Run the following command before installing `make test` so nftables can check for errors. If there are no errors, you can install and run with `make install` You can verify that your new rules are in place with `nft list ruleset` To uninstall, run `make uninstall`, which will replace the contents of `/etc/nftables.conf` with the backup made at install-time and saved in `backup.conf`. ### Modifying .nft files The following are guidelines for editing the `.nft` files to your liking #### defines.nft In `defines.nft` you can place your defines. Every service under the *TCP and UDP services* comment should be placed in tcp and udp named sets. Every service under the *TCP only services* comment should be placed in the tcp named set. Services under the *UDP only services* comment should be placed in the udp named sets. #### nat.nft In `nat.nft` you can place your nat table, chains and rules. You don't need to include `defines.nft` since it is included in `filter.nft` #### filter.nft In `filter.nft` you can place your filter table, chains and rules. This is the main file where you'll do most of your work. Make sure you erase the `ipv4_geo_blacklist` named set and rules related to it if you're not going to block country-wide IP ranges. ### makeconf script This script unifies the `.nft` files into a single `nftables.conf` file ready to be placed into `/etc/nftables.conf`. It replaces includes of local `.nft` files with their contents into `filter.nft` and saves it as `nftables.conf`. It also checks which countries you want to block by checking what files exist under `/var/geoipsets/dbip/nftset/ipv4/*.ipv4` and places them into the `ipv4_geo_blacklist` named set. ### Bug-reporting Try to register an account, wait to be approved and submit an issue. If I take too long to approve your account or I reject your application, you can send me an email at celsochan@disroot.org