Content #

Incoming TCP packets from remote clients will have the SYN flag set in the first packet received as part of the three-way connection establishment handshake. The first connection request will have the SYN flag set, but not the ACK flag.

Every TCP packet received from a remote server will have the ACK flag set.Your local client firewall rules will require all incoming packets from remote servers to have the ACK flag set.

Content #

nft <command> <subcommand> <chain> <rule definition>

Typical commands: add list delete insert flush Typical subcommands: table chain rule

Address families Hooks in inet families Table Syntax Chain Syntax Rule Syntax

Concepts #

Rejecting versus Denying a Packet Incoming TCP Connection State Filtering Stealth Scans(RST package) ping Flooding

0.0.0.0/0(nftables) Default Policy Rules and the First Matching Rule Wins 数据包不会“从外部接口返回”

type 决定了链能做什么​（操作类型）。 hook 决定了链何时做​（触发阶段）。 priority 决定了同一钩子点上多个链执行的顺序。​特定 type 仅适用于部分 hook： nat 类型通常用于 prerouting 和 postrouting 钩子。 filter 类型可用于 input、forward 和 output 钩子。​非法组合会报错：例如，在 input 钩子中使用 type nat 可能导致规则无法生效。

Content #

The Netfilter firewall mechanism in iptables and nftables gives you the option of either rejecting or dropping packets. What’s the difference? When a packet is rejected, the packet is thrown away and an ICMP error message is returned to the sender. When a packet is dropped, the packet is simply thrown away without any notification to the sender.

Silently dropping the packet is almost always the better choice, for three reasons.

Content #

Address 0.0.0.0 is a special broadcast source address.

本地计算机在未配置 IP 时，可以用 0.0.0.0 作为源地址发送 DHCP 请求。

SRC=0.0.0.0 DST=255.255.255.255  （DHCP DISCOVER）

这是0.0.0.0唯一合法的用法。公网路由器不会转发 0.0.0.0/8 地址的数据包

根据 RFC 1122（第 3.2.1.3 节） 规定：

“Addresses in the range 0.0.0.0/8 are reserved. The only exception is 0.0.0.0 itself, which can be used as a special meaning for ‘this host’ before an IP address is assigned.”

这意味着 0.0.0.0 到 0.255.255.255 之间的所有 IP 地址（包括 0.1.2.3）都属于保留地址，不能用于源地址或目的地址。

From #

Linux Security: Enhancing Security with nftables and Beyond

Content #

IP addresses in the Class E range were set aside for future and experimental use and are not assigned publicly.

They range from 240.0.0.0 to 247.255.255.255.

Your machine should never see packets from these source addresses—and mostly likely won’t. (Because the entire address range is permanently reserved up through 255.255.255.255, the Class E range can realistically be defined as 240.0.0.0 to 255.255.255.255. In fact, some sources define the Class E address range to be exactly that.)

Content #

IP addresses in the Class D range are set aside for use as destination addresses when participating in a multicast network broadcast, such as an audiocast or a videocast. They range from 224.0.0.0 to 239.255.255.255. Your machine should never see packets from these source addresses.

From #

Links #

Content #

1. Class A private addresses from 10.0.0.0 to 10.255.255.255.
2. Class B private addresses from 172.16.0.0 to 172.31.255.255.
3. Class C private addresses from 192.168.0.0 to 192.168.255.255.

From #

Links #

Show Open Network Connections #

sudo lsof -Pni

-P prevents the conversion of port numbers to port names. -n prevents the conversion of IP addresses to host names. -i display network connections.

From #

Links #

Content #

IOPS IOPS 和吞吐量（Throughput） Latency(Storage Performance) Latency and IOPS

From #

Links #

Content #

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Class A, B, and C private IP addresses Class D multicast IP addresses Class E reserved IP addresses Address 0.0.0.0