diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-04 19:23:36 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-04 19:23:36 +0100 |
| commit | 29480b6e86ca6057d4151accdb5d4103f1657596 (patch) | |
| tree | aad8ef8a38f2b679ff64039d6a2445eba9041d09 /hosts/vidhar/network/ruleset.nft | |
| parent | 7fcaba2d4cabc8d5dfd35648ec1b9b6795e490ec (diff) | |
| download | nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.gz nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.bz2 nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.xz nixos-29480b6e86ca6057d4151accdb5d4103f1657596.zip | |
...
Diffstat (limited to 'hosts/vidhar/network/ruleset.nft')
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index da3a9048..d2c88008 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -59,6 +59,9 @@ table inet filter { | |||
| 59 | counter fw-lo {} | 59 | counter fw-lo {} |
| 60 | counter fw-lan {} | 60 | counter fw-lan {} |
| 61 | counter fw-dsl {} | 61 | counter fw-dsl {} |
| 62 | counter fw-printing {} | ||
| 63 | |||
| 64 | counter fw-cups {} | ||
| 62 | 65 | ||
| 63 | counter reject-ratelimit-fw {} | 66 | counter reject-ratelimit-fw {} |
| 64 | counter reject-fw {} | 67 | counter reject-fw {} |
| @@ -137,12 +140,17 @@ table inet filter { | |||
| 137 | 140 | ||
| 138 | iifname lo counter name fw-lo accept | 141 | iifname lo counter name fw-lo accept |
| 139 | 142 | ||
| 140 | oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept | 143 | oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept |
| 141 | |||
| 142 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept | 144 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept |
| 143 | iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept | ||
| 144 | 145 | ||
| 145 | 146 | ||
| 147 | iifname lan oifname ve-printing ip daddr 10.141.4.1 tcp dport 631 counter name fw-cups accept | ||
| 148 | iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:4::1 tcp dport 631 counter name fw-cups accept | ||
| 149 | |||
| 150 | |||
| 151 | iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept | ||
| 152 | iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept | ||
| 153 | |||
| 146 | 154 | ||
| 147 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | 155 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
| 148 | log level debug prefix "reject forward: " counter name reject-fw | 156 | log level debug prefix "reject forward: " counter name reject-fw |
| @@ -169,7 +177,7 @@ table inet filter { | |||
| 169 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 177 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept |
| 170 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 178 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept |
| 171 | 179 | ||
| 172 | iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept | 180 | iifname { lan, mgmt, wifibh, yggdrasil, ve-printing } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept |
| 173 | 181 | ||
| 174 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept | 182 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept |
| 175 | 183 | ||
| @@ -179,9 +187,9 @@ table inet filter { | |||
| 179 | 187 | ||
| 180 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 188 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept |
| 181 | 189 | ||
| 182 | iifname mgmt udp dport 123 counter name ntp-rx accept | 190 | iifname { mgmt, ve-printing } udp dport 123 counter name ntp-rx accept |
| 183 | 191 | ||
| 184 | iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept | 192 | iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept |
| 185 | 193 | ||
| 186 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept | 194 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept |
| 187 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | 195 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept |
| @@ -268,4 +276,4 @@ table ip mss_clamp { | |||
| 268 | 276 | ||
| 269 | oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu | 277 | oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu |
| 270 | } | 278 | } |
| 271 | } \ No newline at end of file | 279 | } |