review feedback

SUSE · Jul 23, 2024 · 8d399df · 8d399df
1 parent 0cf1468
commit 8d399df
Showing 1 changed file with 26 additions and 1 deletion.
diff --git a/xml/security_firewall.xml b/xml/security_firewall.xml
@@ -1021,6 +1021,26 @@ nfs-rpc
   </screen>
   <para>In the above example, all traffic is allowed because all chains have the policy <emphasis>accept</emphasis>.
   Note that in reality, this is a bad practice as firewalls should deny traffic by default.</para>
+  <para><emphasis role="bold">A basic nftables configuration file with masquerade:</emphasis></para>
+  <screen>&prompt.user; cat /etc/nftables.conf
+    #!/sbin/nft -f
+
+    flush ruleset
+
+    table ip nat {
+      chain prerouting {
+        type nat hook prerouting priority 0; policy accept;
+      }
+
+      # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
+      chain postrouting {
+        type nat hook postrouting priority 100; policy accept;
+        oifname "wan0" masquerade
+      }
+    }
+  </screen>
+  <para>If you have a static IP, it would be slightly faster to use source nat (SNAT) instead of masquerade.
+    The router replaces the source with a predefined IP, instead of looking up the outgoing IP for every packet.</para>
   <para><emphasis role= "bold" >A nftables configuration file with some rules applied:</emphasis></para>
   <screen>&prompt.user; cat /etc/nftables.conf
     #!/usr/sbin/nft -f
@@ -1081,10 +1101,15 @@ table inet filter {
   </listitem>
   <listitem>
    <para>
-
     ICMP and IGMP packets are allowed by utilizing a set and type names
    </para>
   </listitem>
+  <listitem>
+    <para>
+    A counter keeps a count of both the total number of packets and bytes it has seen since it was last reset.
+    With nftables, you must specify a counter for each rule you want to count.
+    </para>
+   </listitem>
  </itemizedlist>
   </sect3>
   <sect3 xml:id="sec-security-nftables-more-information">