Starter Netfilter and Packetfilter Rulesets

The following rulesets are deny-all with exceptions for ssh and icmp.

Debian /etc/nftables.conf

A simple ruleset allowing icmp, ssh, and web ports.

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    tcp dport { 22, 80, 443 } accept

    iifname lo accept
    ct state { established, related } accept
    ct state invalid drop
    tcp dport 113 reject with icmpx type port-unreachable

    ip protocol icmp icmp type {
      echo-reply,               # type 0
      destination-unreachable,  # type 3
      echo-request,             # type 8
      time-exceeded,            # type 11
      parameter-problem,        # type 12
    } accept 
    comment "Accept ICMP"
  }
  chain output {
    type filter hook output priority 0; policy accept;
  }
}

OpenBSD /etc/pf.conf

A simple ruleset allowing icmp echo requests and ssh from trusted IPs.

Verify that your interface names are vio0 and lo0 or update accordingly. Change 0.0.0.0/0 with your own trusted IPs.

ext_if = "vio0"
table <allowed_ssh_ips> const { 100.64.88.10, 0.0.0.0/0 }

# Minimal block-all config
block in all
pass out all keep state
# ------------------------

set skip on lo0
match in all scrub (no-df)
antispoof for $ext_if inet

block in quick from urpf-failed
block return out log proto {tcp udp} user _pbuild

pass in log on $ext_if proto tcp \
     from <allowed_ssh_ips> to $ext_if port ssh
pass inet proto icmp icmp-type echoreq