Arch Linux

t-sourcemaker

Member

Registered: 2015-02-01

Posts: 11

Desktop Firewall (Most Secure)

Can I use this firewall configuration for hardening my desktop system?
Block everything, except the following ports.

#!/bin/nft

# Flush ruleset
flush ruleset

# Definitions
table inet filter {
  # ================================================================
  # Outgoing connections
  # ================================================================
  chain output {
    type filter hook output priority 0; policy block;  counter        comment "Block outgoing connections"
    tcp dport  80                                      counter accept comment "Accept HTTP"    
    tcp dport 443                                      counter accept comment "Accept HTTPS"
    tcp dport 993                                      counter accept comment "Accept IMAPS"
  }
  # ================================================================
  # Forwarding connections
  # ================================================================
  chain forward {
    type filter hook forward priority 0; policy drop;  counter        comment "Block forwarding connections"
  }
  # ================================================================
  # Incoming connections
  # ================================================================
  chain input {
    type filter hook input priority 0; policy drop;    counter        comment "Block incoming connections"
    iif lo                                             counter accept comment "Accept any localhost traffic"
    ct state established,related                       counter accept comment "Accept traffic originated from us"
    ct state invalid                                   counter drop   comment "Drop invalid connections"
                                                       counter drop   comment "Drop any other traffic"
  }
  # ================================================================
}

Xyne

Administrator/PM

Registered: 2008-08-03

Posts: 6,965

Website

Re: Desktop Firewall (Most Secure)

The output chain depends on what you do on your desktop. There are many different applications that use other outgoing ports (chat programs, remote file synchronizers, games, etc.) so you may have to update the rules regularly. Unless you are trying to hide traffic from the local network or run some sort of indispensable malware with restricted access (e.g. some useful app with privacy-invasive phone-home functionality), it may be simpler to just be more selective in what you install and run.

The restricted incoming chain and forward chain are standard practice so nothing to remark there.

---

My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone

seth

Member

Registered: 2012-09-03

Posts: 60,922

Re: Desktop Firewall (Most Secure)

The output chain depends on what you do on your desktop.

Eg:
- How you're gonna resolve domains? DNS over https?
- Will you have to telnet or ssh into remote systems (router)?
- Do you access CIFS or NFS on eg. a NAS?
- Do you use a network printer?

some sort of indispensable malware with restricted access (e.g. some useful app with privacy-invasive phone-home functionality)

And in that case see eg. https://wiki.archlinux.org/title/Firejail but you can also use a cgroup and specific netfilter rules, https://www.kernel.org/doc/html/latest/ … t_cls.html

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

t-sourcemaker

Member

Registered: 2015-02-01

Posts: 11

Re: Desktop Firewall (Most Secure)

Thank you guys.