surtr: restrict incoming icmp

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-16 14:24:36 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-16 14:24:36 +0100
commit: 03cf422e8132cc08863083f27f377ffec910c192 (patch)
tree: 8fc78d85bb84909b20c3e7c367b4ea1e3cadc64a /hosts/surtr/ruleset.nft
parent: ee954b36d552a681e4bc2ff10961b70a52c60910 (diff)
download: nixos-03cf422e8132cc08863083f27f377ffec910c192.tar
nixos-03cf422e8132cc08863083f27f377ffec910c192.tar.gz
nixos-03cf422e8132cc08863083f27f377ffec910c192.tar.bz2
nixos-03cf422e8132cc08863083f27f377ffec910c192.tar.xz
nixos-03cf422e8132cc08863083f27f377ffec910c192.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index cb41f1cf..b57434a6 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -44,8 +44,10 @@ table inet filter {
    iifname lo counter accept
-    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos iifname yggdrasil limit name lim_icmp counter drop
-    meta l4proto $icmp_protos counter accept
+    meta l4proto $icmp_protos iifname yggdrasil counter accept
+    meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop
+    meta l4proto $icmp_protos ct state {established, related} counter accept
    limit name lim_reject log prefix "drop forward: " counter drop
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-16 14:24:36 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-16 14:24:36 +0100
commit	03cf422e8132cc08863083f27f377ffec910c192 (patch)
tree	8fc78d85bb84909b20c3e7c367b4ea1e3cadc64a /hosts/surtr/ruleset.nft
parent	ee954b36d552a681e4bc2ff10961b70a52c60910 (diff)
download	nixos-03cf422e8132cc08863083f27f377ffec910c192.tar nixos-03cf422e8132cc08863083f27f377ffec910c192.tar.gz nixos-03cf422e8132cc08863083f27f377ffec910c192.tar.bz2 nixos-03cf422e8132cc08863083f27f377ffec910c192.tar.xz nixos-03cf422e8132cc08863083f27f377ffec910c192.zip

diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index cb41f1cf..b57434a6 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft
@@ -44,8 +44,10 @@ table inet filter {
44		44
45	iifname lo counter accept	45	iifname lo counter accept
46		46
47	meta l4proto $icmp_protos limit name lim_icmp counter drop	47	meta l4proto $icmp_protos iifname yggdrasil limit name lim_icmp counter drop
48	meta l4proto $icmp_protos counter accept	48	meta l4proto $icmp_protos iifname yggdrasil counter accept
		49	meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop
		50	meta l4proto $icmp_protos ct state {established, related} counter accept
49		51
50		52
51	limit name lim_reject log prefix "drop forward: " counter drop	53	limit name lim_reject log prefix "drop forward: " counter drop