diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-10-22 19:33:45 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-10-22 19:33:45 +0200 |
commit | ddcc8c65e30a9ca3b56e25466e749cb100b28510 (patch) | |
tree | 869c782c4e5874d4d353d3cd82af5b0e2dfe9a45 /hosts/vidhar/network/ruleset.nft | |
parent | 0b7bd91465487426041c777a40de3be9f7407058 (diff) | |
download | nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.gz nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.bz2 nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.xz nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.zip |
...
Diffstat (limited to 'hosts/vidhar/network/ruleset.nft')
-rw-r--r-- | hosts/vidhar/network/ruleset.nft | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index c0da0fa6..473f8a20 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
@@ -78,6 +78,7 @@ table inet filter { | |||
78 | counter ssh-rx {} | 78 | counter ssh-rx {} |
79 | counter mosh-rx {} | 79 | counter mosh-rx {} |
80 | counter dns-rx {} | 80 | counter dns-rx {} |
81 | counter nfs-rx {} | ||
81 | counter wg-rx {} | 82 | counter wg-rx {} |
82 | counter yggdrasil-gre-rx {} | 83 | counter yggdrasil-gre-rx {} |
83 | counter ipv6-pd-rx {} | 84 | counter ipv6-pd-rx {} |
@@ -104,6 +105,7 @@ table inet filter { | |||
104 | counter ssh-tx {} | 105 | counter ssh-tx {} |
105 | counter mosh-tx {} | 106 | counter mosh-tx {} |
106 | counter dns-tx {} | 107 | counter dns-tx {} |
108 | counter nfs-tx {} | ||
107 | counter wg-tx {} | 109 | counter wg-tx {} |
108 | counter yggdrasil-gre-tx {} | 110 | counter yggdrasil-gre-tx {} |
109 | counter ipv6-pd-tx {} | 111 | counter ipv6-pd-tx {} |
@@ -152,7 +154,7 @@ table inet filter { | |||
152 | 154 | ||
153 | 155 | ||
154 | ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop | 156 | ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop |
155 | 157 | ||
156 | 158 | ||
157 | iifname lo counter name rx-lo accept | 159 | iifname lo counter name rx-lo accept |
158 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | 160 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject |
@@ -165,8 +167,9 @@ table inet filter { | |||
165 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 167 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept |
166 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 168 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept |
167 | 169 | ||
168 | iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept | 170 | iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept |
169 | iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept | 171 | |
172 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept | ||
170 | 173 | ||
171 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept | 174 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept |
172 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept | 175 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept |
@@ -182,7 +185,8 @@ table inet filter { | |||
182 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | 185 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept |
183 | 186 | ||
184 | iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept | 187 | iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept |
185 | 188 | iifname lan tcp dport 80 counter name http-rx accept | |
189 | |||
186 | iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept | 190 | iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept |
187 | 191 | ||
188 | ct state {established, related} counter name established-rx accept | 192 | ct state {established, related} counter name established-rx accept |
@@ -209,8 +213,9 @@ table inet filter { | |||
209 | tcp sport 22 counter name ssh-tx | 213 | tcp sport 22 counter name ssh-tx |
210 | udp sport 60000-61000 counter name mosh-tx | 214 | udp sport 60000-61000 counter name mosh-tx |
211 | 215 | ||
212 | tcp sport 53 counter name dns-tx | 216 | meta l4proto {tcp, udp} th sport 53 counter name dns-tx |
213 | udp sport 53 counter name dns-tx | 217 | |
218 | tcp sport 2049 counter name nfs-tx | ||
214 | 219 | ||
215 | meta protocol ip udp sport 51820 counter name wg-tx | 220 | meta protocol ip udp sport 51820 counter name wg-tx |
216 | meta protocol ip6 udp sport {51821,51822} counter name wg-tx | 221 | meta protocol ip6 udp sport {51821,51822} counter name wg-tx |
@@ -225,7 +230,7 @@ table inet filter { | |||
225 | udp sport { 137, 138, 3702 } counter name samba-tx accept | 230 | udp sport { 137, 138, 3702 } counter name samba-tx accept |
226 | tcp sport { 445, 139, 5357 } counter name samba-tx accept | 231 | tcp sport { 445, 139, 5357 } counter name samba-tx accept |
227 | 232 | ||
228 | tcp sport {80,443} counter name http-tx accept | 233 | tcp sport { 80, 443 } counter name http-tx accept |
229 | 234 | ||
230 | udp sport 69 counter name tftp-tx accept | 235 | udp sport 69 counter name tftp-tx accept |
231 | udp dport 69 counter name tftp-tx accept | 236 | udp dport 69 counter name tftp-tx accept |