On Wed, 6 Jul 2022, Will Mengarini wrote:
* gene heskett <ghesk...@shentel.net> [22-07/06=We 18:50 -0400]:
The man page while quite voluminus is as
usual mostly bereft of useful examples.
<https://wiki.nftables.org/wiki-nftables/index.php/Main_Page#Examples>
has various examples.
May I continue this thread by asking more newbie questions?
I looked at the workstation example, but it doesn't even allow access via ssh.
On my Debian 11 box I found /usr/share/doc/nftables/examples/workstation.nft
which does show how to allow incoming ssh, http and https traffic.
Newbie 1: Is it normal for nftables configuration files to be executable? As a
newcomer, I expected something more "traditional", ie a file containing only key
words and data values.
Newbie 2: Command ls -l /etc/nftables.conf reports
-rwxr-xr-x 1 root root 228 Jan 17 2021 /etc/nftables.conf*
This looks as if anyone can read and execute this file. I tried as a simple
user and got the error message
/etc/nftables.conf:3:1-14: Error: Could not process rule: Operation not
permitted
flush ruleset
^^^^^^^^^^^^^^
Is execution not permitted for non-root/non-file owner ?
Newbie 3: The configuration file begins with the Bash shebang #!/usr/sbin/nft -f
but the Debian 11 man page for nftables says
-f, --file filename Read input from filename. If filename is -, read from
stdin.
and doesn't mention omitting the filename. I'm guessing that -f with no file
name means "read from the remainder of this file". Is this correct?
My apologies for asking such trivial stuff.
Roger
<https://manpages.debian.org/testing/nftables/nft.8.en.html> is an
HTML version of the man page, which is easier to navigate, at least.
<https://wiki.nftables.org/wiki-nftables/index.php/Accepting_and_dropping_packets>
may also be helpful.
