firewalls

ufw accepts all localhost in ufw-before-input (so it can't be blocked in the INPUT chain)
iptables replaced by nftables replaced by bpfilter
opensnitch added nftables incoming rule support in v1.6.0
- manual edit json rules for masquerade forwarding
nft list ruleset to view
upnpc
- 1900 udp for ssdp
- 5350 udp for pcp
- 5351 udp for nat-pmp
private networks (/32 is all and /24 is all but last octet)
- 10.x.x.x/8 is class A
- 192.168.x.x/16 is class C
- 127.x.x.x/8 is localhost
upnpc -s | grep ExternalIPAddress
8444 TCP chia, 18080 monerod, 37889 p2pool
nftables with xtables
- #match bpf pinned /sys/fs/bpf/mfw/match drop to load bpf program

curl 'http://10.0.0.1:5000/Public_UPNP_C3' \
  -X 'POST' \
  -H 'Content-Type: text/xml; charset="utf-8"' \
  -H 'Connection: close' \
  -H 'SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"' \
  -d '<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
  <NewRemoteHost></NewRemoteHost>
  <NewExternalPort>443</NewExternalPort>
  <NewProtocol>TCP</NewProtocol>
  <NewInternalPort>443</NewInternalPort>
  <NewInternalClient>10.0.0.6</NewInternalClient>
  <NewEnabled>1</NewEnabled>
  <NewPortMappingDescription>node:nat:upnp</NewPortMappingDescription>
  <NewLeaseDuration>10</NewLeaseDuration>
</u:AddPortMapping>
</s:Body>
</s:Envelope>'

firewalls

firewalls linux