-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnflux.toml
46 lines (38 loc) · 2.21 KB
/
nflux.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[logging]
log_level = "info" # trace, debug, info, warn, or error (default: info)
log_type = "text" # text or json (default: text)
[firewall]
enabled = "false" # Decide if the firewall is enabled or not
interfaces = ["wlp2s0"] # Interfaces to protect (can be only physical interfaces)
icmp_ping = "false" # Allow or deny ICMP ping requests
[firewall.rules]
# The /32 CIDR block is used to represent a single IP address rather than a range
# The /128 CIDR block is used to represent a single IPv6 address rather than a range
# The priority is used to determine the order in which rules are applied. Lower numbers are applied first.
"192.168.0.0/24" = { priority = 1, action = "allow", ports = [22], protocol = "tcp", description = "Allow ssh from entire local net" }
"192.168.0.76/32" = { priority = 2, action = "deny", ports = [8080], protocol = "tcp", description = "Deny a specific IP address" }
[egress]
enabled = "true"
physical_interfaces = ["enp0s20f0u4"] # Physical interfaces, your LAN interface
# Traffic sniffer for virtual interfaces like wireguard/openvpn, is not working correctly
# If you are using a VPN, switch off if you want to use the egress logging feature
# You will see the egress traffic for your physical interface (wifi or ethernet)
virtual_interfaces = [] # If using VPN, add the virtual interface here
[egress.logging]
# log_only_new_connections:
# For example, if you perform 1000 requests to google.com, just log 1 (or every you execute)
# This affects to tcp and udp connections
log_only_new_connections = "true"
log_udp_connections = "false" # Decide if udp packets should be logged
log_tcp_connections = "true" # Decide if tcp packets should be logged
log_icmp_connections = "false" # Decide if icmp packets should be logged
#[egress_rules]
# TODO: filter outgoint traffic (block/deny)
# curl -6 -v http://\[::ffff:192.168.0.26\]:80
#"fe80::5bc2:662b:ac2f:7e8b/128" = { priority = 3, action = "allow", ports = [80], protocol = "tcp", log = false, description = "Deny HTTP for specific IPv6 address" }
#[mac_rules]
# TODO: MAC address filtering
# This is not implemented. Not necessary by the moment
# Rules for MAC address filtering
#"00:0a:95:9d:68:16" = { action = "allow" }
#"00:0a:95:9d:68:17" = { action = "deny" }