diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-06 17:19:58 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-06 17:19:58 +0100 |
| commit | 67657a453e654811ed5adf45a4c7aab32dc30274 (patch) | |
| tree | b94f3378117ca2b6bd2d43c8ef106855e52e6462 /hosts/surtr/ruleset.nft | |
| parent | 93f07176317920ee881773519ee342f9c62ab9c9 (diff) | |
| download | nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.gz nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.bz2 nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.xz nixos-67657a453e654811ed5adf45a4c7aab32dc30274.zip | |
bifrost: ...
Diffstat (limited to 'hosts/surtr/ruleset.nft')
| -rw-r--r-- | hosts/surtr/ruleset.nft | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 132360b9..9d6fd373 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | define icmp_protos = { ipv6-icmp, icmp, igmp } | 1 | define icmp_protos = {ipv6-icmp, icmp, igmp} |
| 2 | 2 | ||
| 3 | table arp filter { | 3 | table arp filter { |
| 4 | limit lim_arp { | 4 | limit lim_arp { |
| @@ -44,12 +44,16 @@ table inet filter { | |||
| 44 | 44 | ||
| 45 | iifname lo counter accept | 45 | iifname lo counter accept |
| 46 | 46 | ||
| 47 | meta l4proto $icmp_protos iifname yggdrasil oifname ens3 limit name lim_icmp counter drop | 47 | meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 limit name lim_icmp counter drop |
| 48 | meta l4proto $icmp_protos iifname yggdrasil oifname ens3 counter accept | 48 | meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 counter accept |
| 49 | meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop | 49 | meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop |
| 50 | meta l4proto $icmp_protos ct state {established, related} counter accept | 50 | meta l4proto $icmp_protos ct state {established, related} counter accept |
| 51 | 51 | ||
| 52 | 52 | ||
| 53 | oifname bifrost counter accept | ||
| 54 | iifname bifrost oifname ens3 counter accept | ||
| 55 | |||
| 56 | |||
| 53 | limit name lim_reject log prefix "drop forward: " counter drop | 57 | limit name lim_reject log prefix "drop forward: " counter drop |
| 54 | log prefix "reject forward: " counter | 58 | log prefix "reject forward: " counter |
| 55 | meta l4proto tcp ct state new counter reject with tcp reset | 59 | meta l4proto tcp ct state new counter reject with tcp reset |
| @@ -78,13 +82,13 @@ table inet filter { | |||
| 78 | udp dport 60001-61000 counter accept | 82 | udp dport 60001-61000 counter accept |
| 79 | 83 | ||
| 80 | meta protocol ip udp dport 51820 counter accept | 84 | meta protocol ip udp dport 51820 counter accept |
| 81 | meta protocol ip6 udp dport 51821 counter accept | 85 | meta protocol ip6 udp dport {51821, 51822} counter accept |
| 82 | iifname "yggdrasil-wg-*" meta l4proto gre counter accept | 86 | iifname "yggdrasil-wg-*" meta l4proto gre counter accept |
| 83 | 87 | ||
| 84 | tcp dport 53 counter accept | 88 | tcp dport 53 counter accept |
| 85 | udp dport 53 counter accept | 89 | udp dport 53 counter accept |
| 86 | 90 | ||
| 87 | tcp dport { 80, 443 } counter accept | 91 | tcp dport {80, 443} counter accept |
| 88 | 92 | ||
| 89 | ct state {established, related} counter accept | 93 | ct state {established, related} counter accept |
| 90 | 94 | ||