husk has built-in 'common' firewall rules, prefixed with the keyword 'common'. These rules fulfill commonly used features implemented with the Linux firewall, such as NAT'ing, Antispoof, Bogon and Port Scan protections.
Apply a Source NAT to traffic going out ZONE, usually 'NET'
common nat ZONE
common nat NET
Prevent address spoofing on the specified ZONE. You must specify ADDRESS/PREFIX to define the addresses that are expected to be seen in the given ZONE. You can add multiple 'spoof' rules per interface.
common spoof ZONE ADDRESS/PREFIX
common spoof LAN 10.0.0.0/24 common spoof LAN 10.0.1.0/24 common spoof DMZ 188.8.131.52/29
Block bogon traffic on the specified ZONE. Bogon traffic is packets with source addresses that should never be seen outside private networks such as RFC1918 addresses, 127.0.0.0/8 etc. This is usually suitable only for the NET zone, or other zones that are publicly addressed, such as a routed DMZ.
common bogon ZONE
common bogon NET
Attempt to detect, log and drop portscans coming from the given zone. This is only rudimentary, but it's better than nothing.
common portscan ZONE
common portscan NET
Block Christmas Tree Packets on the specified ZONE. Xmas tree packets are packets with all flags set, or the packet "is lit up like a Christmas tree" which is invalid and suspicious.
common xmas ZONE
common xmas NET
All TCP packets that the kernel considers as belonging to a "NEW" connection should have the "SYN" flag set. If they don't, then we DROP them.
common syn ZONE
common syn NET
Create a rule to accept traffic in/out the 'lo' interface. There are only very rare circumstances where you don't want this rule in your configuration.