You are not logged in.

#1 2022-01-10 23:58:04

t-sourcemaker
Member
Registered: 2015-02-01
Posts: 5

Desktop Firewall (Most Secure)

Can I use this firewall configuration for hardening my desktop system?
Block everything, except the following ports.

#!/bin/nft

# Flush ruleset
flush ruleset

# Definitions
table inet filter {
  # ================================================================
  # Outgoing connections
  # ================================================================
  chain output {
    type filter hook output priority 0; policy block;  counter        comment "Block outgoing connections"
    tcp dport  80                                      counter accept comment "Accept HTTP"    
    tcp dport 443                                      counter accept comment "Accept HTTPS"
    tcp dport 993                                      counter accept comment "Accept IMAPS"
  }
  # ================================================================
  # Forwarding connections
  # ================================================================
  chain forward {
    type filter hook forward priority 0; policy drop;  counter        comment "Block forwarding connections"
  }
  # ================================================================
  # Incoming connections
  # ================================================================
  chain input {
    type filter hook input priority 0; policy drop;    counter        comment "Block incoming connections"
    iif lo                                             counter accept comment "Accept any localhost traffic"
    ct state established,related                       counter accept comment "Accept traffic originated from us"
    ct state invalid                                   counter drop   comment "Drop invalid connections"
                                                       counter drop   comment "Drop any other traffic"
  }
  # ================================================================
}

Offline

#2 2022-01-11 05:07:28

Xyne
Administrator/TU
Registered: 2008-08-03
Posts: 6,838
Website

Re: Desktop Firewall (Most Secure)

The output chain depends on what you do on your desktop. There are many different applications that use other outgoing ports (chat programs, remote file synchronizers, games, etc.) so you may have to update the rules regularly. Unless you are trying to hide traffic from the local network or run some sort of indispensable malware with restricted access (e.g. some useful app with privacy-invasive phone-home functionality), it may be simpler to just be more selective in what you install and run.

The restricted incoming chain and forward chain are standard practice so nothing to remark there.


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#3 2022-01-11 08:16:05

seth
Member
Registered: 2012-09-03
Posts: 28,980

Re: Desktop Firewall (Most Secure)

Xyne wrote:

The output chain depends on what you do on your desktop.

Eg:
- How you're gonna resolve domains? DNS over https?
- Will you have to telnet or ssh into remote systems (router)?
- Do you access CIFS or NFS on eg. a NAS?
- Do you use a network printer?

Xyne wrote:

some sort of indispensable malware with restricted access (e.g. some useful app with privacy-invasive phone-home functionality)

And in that case see eg. https://wiki.archlinux.org/title/Firejail but you can also use a cgroup and specific netfilter rules, https://www.kernel.org/doc/html/latest/ … t_cls.html

Online

#4 2022-01-17 09:31:50

t-sourcemaker
Member
Registered: 2015-02-01
Posts: 5

Re: Desktop Firewall (Most Secure)

Thank you guys.

Offline

Board footer

Powered by FluxBB