Don't assert default policy in nftables scripts?
HarukaMa opened this issue · comments
Currently the nftables init script asserts several default policies:
miniupnp/miniupnpd/netfilter_nft/scripts/nft_init.sh
Lines 21 to 23 in e439318
miniupnp/miniupnpd/netfilter_nft/scripts/nft_init.sh
Lines 47 to 49 in e439318
miniupnp/miniupnpd/netfilter_nft/scripts/nft_init.sh
Lines 57 to 59 in e439318
While those are sensible defaults, setting it as a default action might be disruptive depending on the running system's configuration. (Broke my router, actually. Fortunately it's on a local network.)
Removing the policies should not affect how miniupnpd works. Maybe considering removing them?
I'll leave this issue open to let you decide if you still want to change the server's network configuration in a potentially disruptive way by default. You can close this issue if you decide that it's fine.
as explained by @svenauhagen in #650 you don't have to use the default nft_init.sh
and can build your own tables/chains.
nft_init.sh
is designed to fit the most cases and it is reasonable to drop by default incoming traffic from the internet.
What's the most disruptive, is to install miniupnpd and run its provided init scripts without customizing them and the whole configuration to your needs first.