On Sun, Jul 10, 2022 at 06:44:20AM +0100, Gareth Evans wrote:
Hello,
Comparing the default nft rulesets of firewalld and ufw (on Debian
11), I note that ufw provides a qualified 'policy drop' for input, but
firewalld does not.
I'm not sure what you mean. firewalld denies most traffic by default.
Exception is that some zones, e.g. public, allow some things by default,
e.g. ssh.
# nft list chain inet firewalld filter_INPUT
table inet firewalld {
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx admin-prohibited <--- catch-all reject
}
}
The chain policy is not necessary because there is an explicit rule at
the end of the chain.