diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-13 21:36:34 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-13 21:36:34 +0100 |
commit | 3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f (patch) | |
tree | 649cc654de5c646222e9c6a01acb5b1680f4e109 | |
parent | 470105b11d48740bd1dd1401491ebac08b834e07 (diff) | |
download | nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar.gz nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar.bz2 nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar.xz nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.zip |
surtr: nftables...
-rw-r--r-- | hosts/surtr/dns/default.nix | 9 | ||||
-rw-r--r-- | hosts/surtr/ruleset.nft | 3 |
2 files changed, 3 insertions, 9 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index ce909b72..746b3ee8 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
@@ -7,15 +7,6 @@ | |||
7 | }; | 7 | }; |
8 | 8 | ||
9 | systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; | 9 | systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; |
10 | |||
11 | networking.firewall = { | ||
12 | allowedTCPPorts = [ | ||
13 | 53 # DNS | ||
14 | ]; | ||
15 | allowedUDPPorts = [ | ||
16 | 53 # DNS | ||
17 | ]; | ||
18 | }; | ||
19 | 10 | ||
20 | services.knot = { | 11 | services.knot = { |
21 | enable = true; | 12 | enable = true; |
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 6b47751f..f8cadc94 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft | |||
@@ -79,6 +79,9 @@ table inet filter { | |||
79 | meta protocol ip6 udp dport 51821 counter accept | 79 | meta protocol ip6 udp dport 51821 counter accept |
80 | udp dport 60000-61000 counter accept | 80 | udp dport 60000-61000 counter accept |
81 | 81 | ||
82 | tcp dport 53 counter accept | ||
83 | udp dport 53 counter accept | ||
84 | |||
82 | 85 | ||
83 | limit name lim_reject log prefix "drop input: " counter drop | 86 | limit name lim_reject log prefix "drop input: " counter drop |
84 | log prefix "reject input: " counter | 87 | log prefix "reject input: " counter |