diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-13 21:36:34 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-13 21:36:34 +0100 |
| commit | 3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f (patch) | |
| tree | 649cc654de5c646222e9c6a01acb5b1680f4e109 /hosts/surtr | |
| parent | 470105b11d48740bd1dd1401491ebac08b834e07 (diff) | |
| download | nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar.gz nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar.bz2 nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.tar.xz nixos-3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f.zip | |
surtr: nftables...
Diffstat (limited to 'hosts/surtr')
| -rw-r--r-- | hosts/surtr/dns/default.nix | 9 | ||||
| -rw-r--r-- | hosts/surtr/ruleset.nft | 3 |
2 files changed, 3 insertions, 9 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index ce909b72..746b3ee8 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
| @@ -7,15 +7,6 @@ | |||
| 7 | }; | 7 | }; |
| 8 | 8 | ||
| 9 | systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; | 9 | systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; |
| 10 | |||
| 11 | networking.firewall = { | ||
| 12 | allowedTCPPorts = [ | ||
| 13 | 53 # DNS | ||
| 14 | ]; | ||
| 15 | allowedUDPPorts = [ | ||
| 16 | 53 # DNS | ||
| 17 | ]; | ||
| 18 | }; | ||
| 19 | 10 | ||
| 20 | services.knot = { | 11 | services.knot = { |
| 21 | enable = true; | 12 | enable = true; |
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 6b47751f..f8cadc94 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft | |||
| @@ -79,6 +79,9 @@ table inet filter { | |||
| 79 | meta protocol ip6 udp dport 51821 counter accept | 79 | meta protocol ip6 udp dport 51821 counter accept |
| 80 | udp dport 60000-61000 counter accept | 80 | udp dport 60000-61000 counter accept |
| 81 | 81 | ||
| 82 | tcp dport 53 counter accept | ||
| 83 | udp dport 53 counter accept | ||
| 84 | |||
| 82 | 85 | ||
| 83 | limit name lim_reject log prefix "drop input: " counter drop | 86 | limit name lim_reject log prefix "drop input: " counter drop |
| 84 | log prefix "reject input: " counter | 87 | log prefix "reject input: " counter |