Firewall4 / NFtables Tips and Tricks

In the spirit of the thread: a tip for debugging rules allowing (for example) SSH access from wan:

nft add rule inet fw4 mangle_prerouting tcp dport 22 meta nftrace set 1
nft monitor

Any packet matching the rule in the first line (tcp dport 22 in the mangle_prerouting chain) will then be traced through the remaining nftables chains, which is handy for debugging rules and understanding packet flows.

1 Like