forked from evilsocket/opensnitch
-
Notifications
You must be signed in to change notification settings - Fork 5
/
nftables.conf
31 lines (27 loc) · 936 Bytes
/
nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
flush ruleset
# ipv4
# - if proto=tcp and state=established then accept
# - else send to firewall via netfilter_queue, which will call NF_ACCEPT or NF_DROP
table ip tiny-snitch {
chain inbound {
type filter hook input priority filter; policy drop;
ip protocol tcp ct state established counter accept
counter queue num 0
}
chain outbound {
type filter hook output priority filter; policy drop;
ip protocol tcp ct state established counter accept
counter queue num 0
}
chain forwarding {
type filter hook forward priority filter; policy drop;
ip protocol tcp ct state established counter accept
counter queue num 0
}
}
# drop all ipv6
table ip6 tiny-snitch {
chain inbound { type filter hook input priority filter; policy drop; }
chain outbound { type filter hook output priority filter; policy drop; }
chain forwarding { type filter hook forward priority filter; policy drop; }
}