summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-12-13 21:36:34 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2021-12-13 21:36:34 +0100
commit3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f (patch)
tree649cc654de5c646222e9c6a01acb5b1680f4e109
parent470105b11d48740bd1dd1401491ebac08b834e07 (diff)
downloadnixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar
nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar.gz
nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar.bz2
nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar.xz
nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.zip
surtr: nftables...
-rw-r--r--hosts/surtr/dns/default.nix9
-rw-r--r--hosts/surtr/ruleset.nft3
2 files changed, 3 insertions, 9 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index ce909b72..746b3ee8 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -7,15 +7,6 @@
7 }; 7 };
8 8
9 systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; 9 systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
10
11 networking.firewall = {
12 allowedTCPPorts = [
13 53 # DNS
14 ];
15 allowedUDPPorts = [
16 53 # DNS
17 ];
18 };
19 10
20 services.knot = { 11 services.knot = {
21 enable = true; 12 enable = true;
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 6b47751f..f8cadc94 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -79,6 +79,9 @@ table inet filter {
79 meta protocol ip6 udp dport 51821 counter accept 79 meta protocol ip6 udp dport 51821 counter accept
80 udp dport 60000-61000 counter accept 80 udp dport 60000-61000 counter accept
81 81
82 tcp dport 53 counter accept
83 udp dport 53 counter accept
84
82 85
83 limit name lim_reject log prefix "drop input: " counter drop 86 limit name lim_reject log prefix "drop input: " counter drop
84 log prefix "reject input: " counter 87 log prefix "reject input: " counter