diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-04 19:23:36 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-04 19:23:36 +0100 |
| commit | 29480b6e86ca6057d4151accdb5d4103f1657596 (patch) | |
| tree | aad8ef8a38f2b679ff64039d6a2445eba9041d09 /hosts/vidhar/network | |
| parent | 7fcaba2d4cabc8d5dfd35648ec1b9b6795e490ec (diff) | |
| download | nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.gz nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.bz2 nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.xz nixos-29480b6e86ca6057d4151accdb5d4103f1657596.zip | |
...
Diffstat (limited to 'hosts/vidhar/network')
| -rw-r--r-- | hosts/vidhar/network/default.nix | 4 | ||||
| -rw-r--r-- | hosts/vidhar/network/dhcp/default.nix | 7 | ||||
| -rw-r--r-- | hosts/vidhar/network/dsl.nix | 15 | ||||
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 22 |
4 files changed, 21 insertions, 27 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index ddc5d78d..1d0f5465 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
| @@ -24,7 +24,7 @@ with lib; | |||
| 24 | { address = "10.141.1.1"; prefixLength = 24; } | 24 | { address = "10.141.1.1"; prefixLength = 24; } |
| 25 | ]; | 25 | ]; |
| 26 | }; | 26 | }; |
| 27 | interfaces."dmz01" = { | 27 | interfaces."wifibh" = { |
| 28 | ipv4.addresses = [ | 28 | ipv4.addresses = [ |
| 29 | { address = "10.141.2.1"; prefixLength = 24; } | 29 | { address = "10.141.2.1"; prefixLength = 24; } |
| 30 | ]; | 30 | ]; |
| @@ -39,7 +39,7 @@ with lib; | |||
| 39 | id = 3; | 39 | id = 3; |
| 40 | interface = "eno2"; | 40 | interface = "eno2"; |
| 41 | }; | 41 | }; |
| 42 | dmz01 = { | 42 | wifibh = { |
| 43 | id = 4; | 43 | id = 4; |
| 44 | interface = "eno2"; | 44 | interface = "eno2"; |
| 45 | }; | 45 | }; |
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index af7a3545..4d8a54ae 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix | |||
| @@ -108,10 +108,6 @@ with lib; | |||
| 108 | { hostname = "geri"; | 108 | { hostname = "geri"; |
| 109 | hw-address = "0e:e6:43:5e:37:7b"; | 109 | hw-address = "0e:e6:43:5e:37:7b"; |
| 110 | } | 110 | } |
| 111 | { hostname = "printer"; | ||
| 112 | hw-address = "30:cd:a7:b0:55:8d"; | ||
| 113 | ip-address = "10.141.0.2"; | ||
| 114 | } | ||
| 115 | ]; | 111 | ]; |
| 116 | } | 112 | } |
| 117 | { subnet = "10.141.1.0/24"; | 113 | { subnet = "10.141.1.0/24"; |
| @@ -122,6 +118,9 @@ with lib; | |||
| 122 | { name = "broadcast-address"; | 118 | { name = "broadcast-address"; |
| 123 | data = "10.141.1.255"; | 119 | data = "10.141.1.255"; |
| 124 | } | 120 | } |
| 121 | { name = "ntp-servers"; | ||
| 122 | data = "10.141.1.1"; | ||
| 123 | } | ||
| 125 | { name = "domain-name"; | 124 | { name = "domain-name"; |
| 126 | data = "yggdrasil"; | 125 | data = "yggdrasil"; |
| 127 | } | 126 | } |
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 536e0e0d..5b7c5ac7 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix | |||
| @@ -97,13 +97,6 @@ in { | |||
| 97 | dnssl = [{ domain_names = ["yggdrasil"]; }]; | 97 | dnssl = [{ domain_names = ["yggdrasil"]; }]; |
| 98 | # other_config = true; | 98 | # other_config = true; |
| 99 | } | 99 | } |
| 100 | { name = "dmz01"; | ||
| 101 | advertise = true; | ||
| 102 | verbose = true; | ||
| 103 | prefix = [{ prefix = "::/64"; }]; | ||
| 104 | route = [{ prefix = "::/0"; }]; | ||
| 105 | rdnss = [{ servers = ["::"]; }]; | ||
| 106 | } | ||
| 107 | ]; | 100 | ]; |
| 108 | 101 | ||
| 109 | debug = { | 102 | debug = { |
| @@ -123,11 +116,6 @@ in { | |||
| 123 | interface = "lan"; | 116 | interface = "lan"; |
| 124 | network = "::/0"; | 117 | network = "::/0"; |
| 125 | }; | 118 | }; |
| 126 | dmz01 = { | ||
| 127 | method = "iface"; | ||
| 128 | interface = "dmz01"; | ||
| 129 | network = "::/0"; | ||
| 130 | }; | ||
| 131 | }; | 119 | }; |
| 132 | }; | 120 | }; |
| 133 | }; | 121 | }; |
| @@ -170,7 +158,7 @@ in { | |||
| 170 | ''; | 158 | ''; |
| 171 | 159 | ||
| 172 | postStop = '' | 160 | postStop = '' |
| 173 | for dev in lan dmz01; do | 161 | for dev in lan; do |
| 174 | ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" | 162 | ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" |
| 175 | done | 163 | done |
| 176 | ''; | 164 | ''; |
| @@ -195,7 +183,6 @@ in { | |||
| 195 | iaid 1195061668 | 183 | iaid 1195061668 |
| 196 | ipv6rs # enable routing solicitation for WAN adapter | 184 | ipv6rs # enable routing solicitation for WAN adapter |
| 197 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN | 185 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN |
| 198 | ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01 | ||
| 199 | 186 | ||
| 200 | reboot 0 | 187 | reboot 0 |
| 201 | 188 | ||
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index da3a9048..d2c88008 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -59,6 +59,9 @@ table inet filter { | |||
| 59 | counter fw-lo {} | 59 | counter fw-lo {} |
| 60 | counter fw-lan {} | 60 | counter fw-lan {} |
| 61 | counter fw-dsl {} | 61 | counter fw-dsl {} |
| 62 | counter fw-printing {} | ||
| 63 | |||
| 64 | counter fw-cups {} | ||
| 62 | 65 | ||
| 63 | counter reject-ratelimit-fw {} | 66 | counter reject-ratelimit-fw {} |
| 64 | counter reject-fw {} | 67 | counter reject-fw {} |
| @@ -137,12 +140,17 @@ table inet filter { | |||
| 137 | 140 | ||
| 138 | iifname lo counter name fw-lo accept | 141 | iifname lo counter name fw-lo accept |
| 139 | 142 | ||
| 140 | oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept | 143 | oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept |
| 141 | |||
| 142 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept | 144 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept |
| 143 | iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept | ||
| 144 | 145 | ||
| 145 | 146 | ||
| 147 | iifname lan oifname ve-printing ip daddr 10.141.4.1 tcp dport 631 counter name fw-cups accept | ||
| 148 | iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:4::1 tcp dport 631 counter name fw-cups accept | ||
| 149 | |||
| 150 | |||
| 151 | iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept | ||
| 152 | iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept | ||
| 153 | |||
| 146 | 154 | ||
| 147 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | 155 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
| 148 | log level debug prefix "reject forward: " counter name reject-fw | 156 | log level debug prefix "reject forward: " counter name reject-fw |
| @@ -169,7 +177,7 @@ table inet filter { | |||
| 169 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 177 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept |
| 170 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 178 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept |
| 171 | 179 | ||
| 172 | iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept | 180 | iifname { lan, mgmt, wifibh, yggdrasil, ve-printing } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept |
| 173 | 181 | ||
| 174 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept | 182 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept |
| 175 | 183 | ||
| @@ -179,9 +187,9 @@ table inet filter { | |||
| 179 | 187 | ||
| 180 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 188 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept |
| 181 | 189 | ||
| 182 | iifname mgmt udp dport 123 counter name ntp-rx accept | 190 | iifname { mgmt, ve-printing } udp dport 123 counter name ntp-rx accept |
| 183 | 191 | ||
| 184 | iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept | 192 | iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept |
| 185 | 193 | ||
| 186 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept | 194 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept |
| 187 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | 195 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept |
| @@ -268,4 +276,4 @@ table ip mss_clamp { | |||
| 268 | 276 | ||
| 269 | oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu | 277 | oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu |
| 270 | } | 278 | } |
| 271 | } \ No newline at end of file | 279 | } |