The output chain depends on what you do on your desktop.
Eg:
- How you're gonna resolve domains? DNS over https?
- Will you have to telnet or ssh into remote systems (router)?
- Do you access CIFS or NFS on eg. a NAS?
- Do you use a network printer?
some sort of indispensable malware with restricted access (e.g. some useful app with privacy-invasive phone-home functionality)
And in that case see eg. https://wiki.archlinux.org/title/Firejail but you can also use a cgroup and specific netfilter rules, https://www.kernel.org/doc/html/latest/ … t_cls.html
]]>The restricted incoming chain and forward chain are standard practice so nothing to remark there.
]]>#!/bin/nft
# Flush ruleset
flush ruleset
# Definitions
table inet filter {
# ================================================================
# Outgoing connections
# ================================================================
chain output {
type filter hook output priority 0; policy block; counter comment "Block outgoing connections"
tcp dport 80 counter accept comment "Accept HTTP"
tcp dport 443 counter accept comment "Accept HTTPS"
tcp dport 993 counter accept comment "Accept IMAPS"
}
# ================================================================
# Forwarding connections
# ================================================================
chain forward {
type filter hook forward priority 0; policy drop; counter comment "Block forwarding connections"
}
# ================================================================
# Incoming connections
# ================================================================
chain input {
type filter hook input priority 0; policy drop; counter comment "Block incoming connections"
iif lo counter accept comment "Accept any localhost traffic"
ct state established,related counter accept comment "Accept traffic originated from us"
ct state invalid counter drop comment "Drop invalid connections"
counter drop comment "Drop any other traffic"
}
# ================================================================
}