diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-28 21:42:05 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-28 21:42:05 +0100 |
| commit | c09d60d686dc53e19dbfb5d58fa705ad4a2ec06c (patch) | |
| tree | fabf9c218589f07c142bf679acc6036f6315e618 /hosts/vidhar/ruleset.nft | |
| parent | 5de2d7b834171b75d79e86aa2097df27ee529aee (diff) | |
| download | nixos-c09d60d686dc53e19dbfb5d58fa705ad4a2ec06c.tar nixos-c09d60d686dc53e19dbfb5d58fa705ad4a2ec06c.tar.gz nixos-c09d60d686dc53e19dbfb5d58fa705ad4a2ec06c.tar.bz2 nixos-c09d60d686dc53e19dbfb5d58fa705ad4a2ec06c.tar.xz nixos-c09d60d686dc53e19dbfb5d58fa705ad4a2ec06c.zip | |
vidhar: samba
Diffstat (limited to 'hosts/vidhar/ruleset.nft')
| -rw-r--r-- | hosts/vidhar/ruleset.nft | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index 9135327f..53ae3c92 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft | |||
| @@ -42,6 +42,13 @@ table inet filter { | |||
| 42 | } | 42 | } |
| 43 | 43 | ||
| 44 | 44 | ||
| 45 | chain forward_icmp_accept { | ||
| 46 | oifname dsl limit name lim_icmp_dsl counter drop | ||
| 47 | iifname dsl limit name lim_icmp_dsl counter drop | ||
| 48 | oifname != dsl limit name lim_icmp_local counter drop | ||
| 49 | iifname != dsl limit name lim_icmp_local counter drop | ||
| 50 | counter accept | ||
| 51 | } | ||
| 45 | chain forward { | 52 | chain forward { |
| 46 | type filter hook forward priority filter | 53 | type filter hook forward priority filter |
| 47 | policy drop | 54 | policy drop |
| @@ -52,11 +59,7 @@ table inet filter { | |||
| 52 | 59 | ||
| 53 | iifname lo counter accept | 60 | iifname lo counter accept |
| 54 | 61 | ||
| 55 | oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop | 62 | oifname {eno1, dsl} meta l4proto $icmp_protos forward_icmp_accept |
| 56 | iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop | ||
| 57 | oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop | ||
| 58 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop | ||
| 59 | meta l4proto $icmp_protos counter accept | ||
| 60 | 63 | ||
| 61 | iifname eno1 oifname dsl counter accept | 64 | iifname eno1 oifname dsl counter accept |
| 62 | iifname dsl oifname eno1 ct state {established, related} counter accept | 65 | iifname dsl oifname eno1 ct state {established, related} counter accept |
| @@ -104,6 +107,9 @@ table inet filter { | |||
| 104 | 107 | ||
| 105 | iifname {eno1, mgmt} udp dport 67 counter accept | 108 | iifname {eno1, mgmt} udp dport 67 counter accept |
| 106 | 109 | ||
| 110 | iifname eno1 udp dport { 137, 138, 3702 } counter accept | ||
| 111 | iifname eno1 tcp dport { 445, 139, 5357 } counter accept | ||
| 112 | |||
| 107 | ct state {established, related} counter accept | 113 | ct state {established, related} counter accept |
| 108 | 114 | ||
| 109 | 115 | ||