Helngard's questions

如何将 nftables 配置为仅允许入站 ipsec 流量和解密后的处理规则。我有 nftable.conf：

#!/sbin/nft -f

flush ruleset

# ----- IPv4 -----
table ip filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid counter drop comment "early drop of invalid packets"
        ct state {established, related} counter accept comment "accept all connections related to connections made by us"
        iif lo accept comment "accept loopback"
        iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
        ip protocol icmp icmp type echo-request counter accept comment "accept ICMP echo-request types"

        # Accept SSH incoming traffic
        tcp dport ssh counter accept comment "accept SSH"

        # Accept IPsec traffic
        udp dport { isakmp, ipsec-nat-t } counter accept comment "accept ISAKMP and IPsec NAT traversal"
        ip protocol { ah, esp } counter accept comment "accept AH and ESP"

        counter comment "count dropped packets"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        counter comment "count dropped packets"
    }

    # If you're not counting packets, this chain can be omitted.
    chain output {
        type filter hook output priority 0; policy accept;
        counter comment "count accepted packets"
    }
}


# ----- IPv6 -----
table ip6 filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid counter drop comment "early drop of invalid packets"
        ct state {established, related} counter accept comment "accept all connections related to connections made by us"
        iif lo accept comment "accept loopback"
        iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
        counter comment "count dropped packets"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        counter comment "count dropped packets"
    }

    # If you're not counting packets, this chain can be omitted.
    chain output {
        type filter hook output priority 0; policy accept;
        counter comment "count accepted packets"
    }
}

IPSec 配置了 StrongSwan，添加规则后 ping 通：

ip protocol icmp icmp type echo-request counter accept comment "accept ICMP echo-request types"

我在 Debian 10 上安装了 bind9。它无法加载创建的区域 xxx.yy，但出现错误：从主文件 /etc/bind/zones/db.xxx.yy 加载失败：权限被拒绝

/etc/bind/zones 挂载到新分区（fstab）：UUID=XXX-XXX-XXX-XXX /etc/bind/zones ext4 defaults 0 2

权限（ls -la /etc/bind/zones/）：-rw-r--r-- 1 root bind 385 apr 30 07:48 db.xxx.yy

如果我将区域文件移动到位置 /etc/bind/ 错误消失