Context: I wanted to block all non-Cloudflare IPs from accessing my server since I don't want people to be able to query my server and figure out what domains it hosts (yes, this is quite easy to do - a simple curl -k https://aaa.bbb.ccc.ddd:port -v will tell you).
So I wrote a bunch of rules into /etc/nftables.conf thinking that that's where nftables looks for the config file.
Nope, it actually turns out the real config is in /etc/sysconfig/nftables.conf
So I googled and even asked GPT4 and Gemini where do I find the real config, and couldn't find the answer. GPT4 and Gemini were totally useless.
In the end, I had to think for myself, so I thought "well, nftables is a service, so systemd will tell me what command it was started with and maybe that command will contain the location of the config file" and lo and behold:
$ systemctl status nftables
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; preset: disabled)
Active: active (exited) since Sat 2024-03-23 14:29:13 PDT; 10min ago
Docs: man:nft(8)
Process: 3934471 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 3934471 (code=exited, status=0/SUCCESS)
CPU: 21ms
Anyways, this just goes to prove what an idiot I am, that I had to Google for something so obvious and couldn't find it. I guess this was so trivial and obvious common sense that nobody bothered writing it down.
GPT4 and Gemini were completely useless in this case.
Also, did you know that you can use named sets in nftables? Pretty useful feature: https://wiki.nftables.org/wiki-nftables/index.php/Sets
No comments:
Post a Comment