summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network/ruleset.nft
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-10-22 19:33:45 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-10-22 19:33:45 +0200
commitddcc8c65e30a9ca3b56e25466e749cb100b28510 (patch)
tree869c782c4e5874d4d353d3cd82af5b0e2dfe9a45 /hosts/vidhar/network/ruleset.nft
parent0b7bd91465487426041c777a40de3be9f7407058 (diff)
downloadnixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar
nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.gz
nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.bz2
nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.xz
nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.zip
...
Diffstat (limited to 'hosts/vidhar/network/ruleset.nft')
-rw-r--r--hosts/vidhar/network/ruleset.nft19
1 files changed, 12 insertions, 7 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index c0da0fa6..473f8a20 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -78,6 +78,7 @@ table inet filter {
78 counter ssh-rx {} 78 counter ssh-rx {}
79 counter mosh-rx {} 79 counter mosh-rx {}
80 counter dns-rx {} 80 counter dns-rx {}
81 counter nfs-rx {}
81 counter wg-rx {} 82 counter wg-rx {}
82 counter yggdrasil-gre-rx {} 83 counter yggdrasil-gre-rx {}
83 counter ipv6-pd-rx {} 84 counter ipv6-pd-rx {}
@@ -104,6 +105,7 @@ table inet filter {
104 counter ssh-tx {} 105 counter ssh-tx {}
105 counter mosh-tx {} 106 counter mosh-tx {}
106 counter dns-tx {} 107 counter dns-tx {}
108 counter nfs-tx {}
107 counter wg-tx {} 109 counter wg-tx {}
108 counter yggdrasil-gre-tx {} 110 counter yggdrasil-gre-tx {}
109 counter ipv6-pd-tx {} 111 counter ipv6-pd-tx {}
@@ -152,7 +154,7 @@ table inet filter {
152 154
153 155
154 ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop 156 ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
155 157
156 158
157 iifname lo counter name rx-lo accept 159 iifname lo counter name rx-lo accept
158 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject 160 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
@@ -165,8 +167,9 @@ table inet filter {
165 iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept 167 iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
166 iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept 168 iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
167 169
168 iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept 170 iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
169 iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept 171
172 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
170 173
171 iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept 174 iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
172 iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept 175 iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
@@ -182,7 +185,8 @@ table inet filter {
182 iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept 185 iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
183 186
184 iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept 187 iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
185 188 iifname lan tcp dport 80 counter name http-rx accept
189
186 iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept 190 iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
187 191
188 ct state {established, related} counter name established-rx accept 192 ct state {established, related} counter name established-rx accept
@@ -209,8 +213,9 @@ table inet filter {
209 tcp sport 22 counter name ssh-tx 213 tcp sport 22 counter name ssh-tx
210 udp sport 60000-61000 counter name mosh-tx 214 udp sport 60000-61000 counter name mosh-tx
211 215
212 tcp sport 53 counter name dns-tx 216 meta l4proto {tcp, udp} th sport 53 counter name dns-tx
213 udp sport 53 counter name dns-tx 217
218 tcp sport 2049 counter name nfs-tx
214 219
215 meta protocol ip udp sport 51820 counter name wg-tx 220 meta protocol ip udp sport 51820 counter name wg-tx
216 meta protocol ip6 udp sport {51821,51822} counter name wg-tx 221 meta protocol ip6 udp sport {51821,51822} counter name wg-tx
@@ -225,7 +230,7 @@ table inet filter {
225 udp sport { 137, 138, 3702 } counter name samba-tx accept 230 udp sport { 137, 138, 3702 } counter name samba-tx accept
226 tcp sport { 445, 139, 5357 } counter name samba-tx accept 231 tcp sport { 445, 139, 5357 } counter name samba-tx accept
227 232
228 tcp sport {80,443} counter name http-tx accept 233 tcp sport { 80, 443 } counter name http-tx accept
229 234
230 udp sport 69 counter name tftp-tx accept 235 udp sport 69 counter name tftp-tx accept
231 udp dport 69 counter name tftp-tx accept 236 udp dport 69 counter name tftp-tx accept