diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-05 11:20:27 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-05 11:20:27 +0100 |
| commit | ef39030d83fb488b16035c82f1f876ed103f541a (patch) | |
| tree | 995bae492901f8370db02b99d95123630d515e18 /hosts/vidhar/printing | |
| parent | 29480b6e86ca6057d4151accdb5d4103f1657596 (diff) | |
| download | nixos-ef39030d83fb488b16035c82f1f876ed103f541a.tar nixos-ef39030d83fb488b16035c82f1f876ed103f541a.tar.gz nixos-ef39030d83fb488b16035c82f1f876ed103f541a.tar.bz2 nixos-ef39030d83fb488b16035c82f1f876ed103f541a.tar.xz nixos-ef39030d83fb488b16035c82f1f876ed103f541a.zip | |
...
Diffstat (limited to 'hosts/vidhar/printing')
| -rw-r--r-- | hosts/vidhar/printing/default.nix | 14 | ||||
| -rw-r--r-- | hosts/vidhar/printing/ruleset.nft | 11 |
2 files changed, 13 insertions, 12 deletions
diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix index 0e0dfcf7..d844823b 100644 --- a/hosts/vidhar/printing/default.nix +++ b/hosts/vidhar/printing/default.nix | |||
| @@ -10,10 +10,10 @@ in { | |||
| 10 | privateNetwork = true; | 10 | privateNetwork = true; |
| 11 | ephemeral = true; | 11 | ephemeral = true; |
| 12 | autoStart = true; | 12 | autoStart = true; |
| 13 | hostAddress = "10.141.4.0"; | 13 | hostAddress = "10.141.5.0"; |
| 14 | hostAddress6 = "2a03:4000:52:ada:4::"; | 14 | hostAddress6 = "2a03:4000:52:ada:5::"; |
| 15 | localAddress = "10.141.4.1"; | 15 | localAddress = "10.141.5.1"; |
| 16 | localAddress6 = "2a03:4000:52:ada:4::1"; | 16 | localAddress6 = "2a03:4000:52:ada:5::1"; |
| 17 | interfaces = [ "printer" ]; | 17 | interfaces = [ "printer" ]; |
| 18 | config = let | 18 | config = let |
| 19 | hostConfig = config; | 19 | hostConfig = config; |
| @@ -42,10 +42,10 @@ in { | |||
| 42 | { subnet = "10.141.3.0/24"; | 42 | { subnet = "10.141.3.0/24"; |
| 43 | option-data = [ | 43 | option-data = [ |
| 44 | { name = "domain-name-servers"; | 44 | { name = "domain-name-servers"; |
| 45 | data = "10.141.4.0"; | 45 | data = "10.141.5.0"; |
| 46 | } | 46 | } |
| 47 | { name = "ntp-servers"; | 47 | { name = "ntp-servers"; |
| 48 | data = "10.141.4.0"; | 48 | data = "10.141.5.0"; |
| 49 | } | 49 | } |
| 50 | { name = "broadcast-address"; | 50 | { name = "broadcast-address"; |
| 51 | data = "10.141.3.255"; | 51 | data = "10.141.3.255"; |
| @@ -81,7 +81,7 @@ in { | |||
| 81 | allowFrom = [ "all" ]; | 81 | allowFrom = [ "all" ]; |
| 82 | extraConf = '' | 82 | extraConf = '' |
| 83 | ServerName printing | 83 | ServerName printing |
| 84 | ServerAlias 10.141.4.1 2a03:4000:52:ada:4::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil | 84 | ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil |
| 85 | ''; | 85 | ''; |
| 86 | }; | 86 | }; |
| 87 | 87 | ||
diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft index c3027567..e47256c3 100644 --- a/hosts/vidhar/printing/ruleset.nft +++ b/hosts/vidhar/printing/ruleset.nft | |||
| @@ -44,6 +44,7 @@ table inet filter { | |||
| 44 | counter fw-printer {} | 44 | counter fw-printer {} |
| 45 | counter fw-host {} | 45 | counter fw-host {} |
| 46 | 46 | ||
| 47 | counter icmp-fw {} | ||
| 47 | counter icmp-ratelimit-fw {} | 48 | counter icmp-ratelimit-fw {} |
| 48 | 49 | ||
| 49 | counter reject-ratelimit-fw {} | 50 | counter reject-ratelimit-fw {} |
| @@ -97,9 +98,9 @@ table inet filter { | |||
| 97 | meta l4proto $icmp_protos counter name icmp-fw accept | 98 | meta l4proto $icmp_protos counter name icmp-fw accept |
| 98 | 99 | ||
| 99 | 100 | ||
| 100 | iifname printer oifname eth0 ip daddr 10.141.4.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept | 101 | iifname printer oifname eth0 ip daddr 10.141.5.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept |
| 101 | iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:4:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept | 102 | iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:5:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept |
| 102 | iifname eth0 oifname printer counter fw-host accept | 103 | iifname eth0 oifname printer counter name fw-host accept |
| 103 | 104 | ||
| 104 | 105 | ||
| 105 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | 106 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
| @@ -127,8 +128,8 @@ table inet filter { | |||
| 127 | meta l4proto $icmp_protos counter name icmp-rx accept | 128 | meta l4proto $icmp_protos counter name icmp-rx accept |
| 128 | 129 | ||
| 129 | 130 | ||
| 130 | ip6 saddr 2a03:4000:52:ada:4:: tcp dport 631 counter name cups-rx accept | 131 | ip6 saddr 2a03:4000:52:ada:5:: tcp dport 631 counter name cups-rx accept |
| 131 | ip saddr 10.141.4.0 tcp dport 631 counter name cups-rx accept | 132 | ip saddr 10.141.5.0 tcp dport 631 counter name cups-rx accept |
| 132 | 133 | ||
| 133 | ct state {established, related} counter name established-rx accept | 134 | ct state {established, related} counter name established-rx accept |
| 134 | 135 | ||