diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-04 19:23:36 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-04 19:23:36 +0100 |
commit | 29480b6e86ca6057d4151accdb5d4103f1657596 (patch) | |
tree | aad8ef8a38f2b679ff64039d6a2445eba9041d09 /hosts/vidhar/network | |
parent | 7fcaba2d4cabc8d5dfd35648ec1b9b6795e490ec (diff) | |
download | nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.gz nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.bz2 nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.xz nixos-29480b6e86ca6057d4151accdb5d4103f1657596.zip |
...
Diffstat (limited to 'hosts/vidhar/network')
-rw-r--r-- | hosts/vidhar/network/default.nix | 4 | ||||
-rw-r--r-- | hosts/vidhar/network/dhcp/default.nix | 7 | ||||
-rw-r--r-- | hosts/vidhar/network/dsl.nix | 15 | ||||
-rw-r--r-- | hosts/vidhar/network/ruleset.nft | 22 |
4 files changed, 21 insertions, 27 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index ddc5d78d..1d0f5465 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
@@ -24,7 +24,7 @@ with lib; | |||
24 | { address = "10.141.1.1"; prefixLength = 24; } | 24 | { address = "10.141.1.1"; prefixLength = 24; } |
25 | ]; | 25 | ]; |
26 | }; | 26 | }; |
27 | interfaces."dmz01" = { | 27 | interfaces."wifibh" = { |
28 | ipv4.addresses = [ | 28 | ipv4.addresses = [ |
29 | { address = "10.141.2.1"; prefixLength = 24; } | 29 | { address = "10.141.2.1"; prefixLength = 24; } |
30 | ]; | 30 | ]; |
@@ -39,7 +39,7 @@ with lib; | |||
39 | id = 3; | 39 | id = 3; |
40 | interface = "eno2"; | 40 | interface = "eno2"; |
41 | }; | 41 | }; |
42 | dmz01 = { | 42 | wifibh = { |
43 | id = 4; | 43 | id = 4; |
44 | interface = "eno2"; | 44 | interface = "eno2"; |
45 | }; | 45 | }; |
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index af7a3545..4d8a54ae 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix | |||
@@ -108,10 +108,6 @@ with lib; | |||
108 | { hostname = "geri"; | 108 | { hostname = "geri"; |
109 | hw-address = "0e:e6:43:5e:37:7b"; | 109 | hw-address = "0e:e6:43:5e:37:7b"; |
110 | } | 110 | } |
111 | { hostname = "printer"; | ||
112 | hw-address = "30:cd:a7:b0:55:8d"; | ||
113 | ip-address = "10.141.0.2"; | ||
114 | } | ||
115 | ]; | 111 | ]; |
116 | } | 112 | } |
117 | { subnet = "10.141.1.0/24"; | 113 | { subnet = "10.141.1.0/24"; |
@@ -122,6 +118,9 @@ with lib; | |||
122 | { name = "broadcast-address"; | 118 | { name = "broadcast-address"; |
123 | data = "10.141.1.255"; | 119 | data = "10.141.1.255"; |
124 | } | 120 | } |
121 | { name = "ntp-servers"; | ||
122 | data = "10.141.1.1"; | ||
123 | } | ||
125 | { name = "domain-name"; | 124 | { name = "domain-name"; |
126 | data = "yggdrasil"; | 125 | data = "yggdrasil"; |
127 | } | 126 | } |
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 536e0e0d..5b7c5ac7 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix | |||
@@ -97,13 +97,6 @@ in { | |||
97 | dnssl = [{ domain_names = ["yggdrasil"]; }]; | 97 | dnssl = [{ domain_names = ["yggdrasil"]; }]; |
98 | # other_config = true; | 98 | # other_config = true; |
99 | } | 99 | } |
100 | { name = "dmz01"; | ||
101 | advertise = true; | ||
102 | verbose = true; | ||
103 | prefix = [{ prefix = "::/64"; }]; | ||
104 | route = [{ prefix = "::/0"; }]; | ||
105 | rdnss = [{ servers = ["::"]; }]; | ||
106 | } | ||
107 | ]; | 100 | ]; |
108 | 101 | ||
109 | debug = { | 102 | debug = { |
@@ -123,11 +116,6 @@ in { | |||
123 | interface = "lan"; | 116 | interface = "lan"; |
124 | network = "::/0"; | 117 | network = "::/0"; |
125 | }; | 118 | }; |
126 | dmz01 = { | ||
127 | method = "iface"; | ||
128 | interface = "dmz01"; | ||
129 | network = "::/0"; | ||
130 | }; | ||
131 | }; | 119 | }; |
132 | }; | 120 | }; |
133 | }; | 121 | }; |
@@ -170,7 +158,7 @@ in { | |||
170 | ''; | 158 | ''; |
171 | 159 | ||
172 | postStop = '' | 160 | postStop = '' |
173 | for dev in lan dmz01; do | 161 | for dev in lan; do |
174 | ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" | 162 | ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" |
175 | done | 163 | done |
176 | ''; | 164 | ''; |
@@ -195,7 +183,6 @@ in { | |||
195 | iaid 1195061668 | 183 | iaid 1195061668 |
196 | ipv6rs # enable routing solicitation for WAN adapter | 184 | ipv6rs # enable routing solicitation for WAN adapter |
197 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN | 185 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN |
198 | ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01 | ||
199 | 186 | ||
200 | reboot 0 | 187 | reboot 0 |
201 | 188 | ||
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index da3a9048..d2c88008 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
@@ -59,6 +59,9 @@ table inet filter { | |||
59 | counter fw-lo {} | 59 | counter fw-lo {} |
60 | counter fw-lan {} | 60 | counter fw-lan {} |
61 | counter fw-dsl {} | 61 | counter fw-dsl {} |
62 | counter fw-printing {} | ||
63 | |||
64 | counter fw-cups {} | ||
62 | 65 | ||
63 | counter reject-ratelimit-fw {} | 66 | counter reject-ratelimit-fw {} |
64 | counter reject-fw {} | 67 | counter reject-fw {} |
@@ -137,12 +140,17 @@ table inet filter { | |||
137 | 140 | ||
138 | iifname lo counter name fw-lo accept | 141 | iifname lo counter name fw-lo accept |
139 | 142 | ||
140 | oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept | 143 | oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept |
141 | |||
142 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept | 144 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept |
143 | iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept | ||
144 | 145 | ||
145 | 146 | ||
147 | iifname lan oifname ve-printing ip daddr 10.141.4.1 tcp dport 631 counter name fw-cups accept | ||
148 | iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:4::1 tcp dport 631 counter name fw-cups accept | ||
149 | |||
150 | |||
151 | iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept | ||
152 | iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept | ||
153 | |||
146 | 154 | ||
147 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | 155 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
148 | log level debug prefix "reject forward: " counter name reject-fw | 156 | log level debug prefix "reject forward: " counter name reject-fw |
@@ -169,7 +177,7 @@ table inet filter { | |||
169 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 177 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept |
170 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 178 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept |
171 | 179 | ||
172 | iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept | 180 | iifname { lan, mgmt, wifibh, yggdrasil, ve-printing } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept |
173 | 181 | ||
174 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept | 182 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept |
175 | 183 | ||
@@ -179,9 +187,9 @@ table inet filter { | |||
179 | 187 | ||
180 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 188 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept |
181 | 189 | ||
182 | iifname mgmt udp dport 123 counter name ntp-rx accept | 190 | iifname { mgmt, ve-printing } udp dport 123 counter name ntp-rx accept |
183 | 191 | ||
184 | iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept | 192 | iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept |
185 | 193 | ||
186 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept | 194 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept |
187 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | 195 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept |
@@ -268,4 +276,4 @@ table ip mss_clamp { | |||
268 | 276 | ||
269 | oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu | 277 | oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu |
270 | } | 278 | } |
271 | } \ No newline at end of file | 279 | } |