firewalls

much wall, such fire, very wow

firewalls linux

  • spoof TTL to avoid throttling with tethering(each hop subtracts 1)
  • ufw accepts all localhost in ufw-before-input (so it can't be blocked in the INPUT chain)
  • iptables replaced by nftables replaced by bpfilter
  • opensnitch added nftables incoming rule support in v1.6.0
    • manual edit json rules for masquerade forwarding
  • nft list ruleset to view
  • upnpc
    • 1900 udp for ssdp
    • 5350 udp for pcp
    • 5351 udp for nat-pmp
  • private networks (/32 is all and /24 is all but last octet)
    • 10.x.x.x/8 is class A
    • 192.168.x.x/16 is class C
    • 127.x.x.x/8 is localhost
  • upnpc -s | grep ExternalIPAddress
  • 8444 TCP chia, 18080 monerod, 37889 p2pool
  • nftables with xtables
    • #match bpf pinned /sys/fs/bpf/mfw/match drop to load bpf program
curl 'http://10.0.0.1:5000/Public_UPNP_C3' \
  -X 'POST' \
  -H 'Content-Type: text/xml; charset="utf-8"' \
  -H 'Connection: close' \
  -H 'SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"' \
  -d '<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
  <NewRemoteHost></NewRemoteHost>
  <NewExternalPort>443</NewExternalPort>
  <NewProtocol>TCP</NewProtocol>
  <NewInternalPort>443</NewInternalPort>
  <NewInternalClient>10.0.0.6</NewInternalClient>
  <NewEnabled>1</NewEnabled>
  <NewPortMappingDescription>node:nat:upnp</NewPortMappingDescription>
  <NewLeaseDuration>10</NewLeaseDuration>
</u:AddPortMapping>
</s:Body>
</s:Envelope>'