summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-02-06 18:20:18 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-02-06 18:20:18 +0100
commitabd86d7bd35ae30e9eeffc33a798faca9e2b0486 (patch)
treec861a2fec32b927c8edb749b28c21f5eb74e6c9c /hosts
parent33988e75d8c35dd26de46645971ac1d6fb6eb3e6 (diff)
downloadnixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar
nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar.gz
nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar.bz2
nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar.xz
nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.zip
bifrost: ...
Diffstat (limited to 'hosts')
-rw-r--r--hosts/surtr/ruleset.nft6
-rw-r--r--hosts/vidhar/network/ruleset.nft18
2 files changed, 13 insertions, 11 deletions
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 9d6fd373..998bd037 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -44,10 +44,12 @@ table inet filter {
44 44
45 iifname lo counter accept 45 iifname lo counter accept
46 46
47 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 limit name lim_icmp counter drop 47 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} limit name lim_icmp counter drop
48 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 counter accept 48 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} counter accept
49 meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop 49 meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop
50 meta l4proto $icmp_protos ct state {established, related} counter accept 50 meta l4proto $icmp_protos ct state {established, related} counter accept
51 meta l4proto $icmp_protos oifname bifrost limit name lim_icmp counter drop
52 meta l4proto $icmp_protos oifname bifrost counter accept
51 53
52 54
53 oifname bifrost counter accept 55 oifname bifrost counter accept
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 7b2160d1..f2b1eda0 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -117,10 +117,10 @@ table inet filter {
117 117
118 118
119 chain forward_icmp_accept { 119 chain forward_icmp_accept {
120 oifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop 120 oifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
121 iifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop 121 iifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
122 oifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 122 oifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
123 iifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 123 iifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
124 counter name icmp-fw accept 124 counter name icmp-fw accept
125 } 125 }
126 chain forward { 126 chain forward {
@@ -133,7 +133,7 @@ table inet filter {
133 133
134 iifname lo counter name fw-lo accept 134 iifname lo counter name fw-lo accept
135 135
136 oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept 136 oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
137 137
138 iifname lan oifname { dsl, bifrost } counter name fw-lan accept 138 iifname lan oifname { dsl, bifrost } counter name fw-lan accept
139 iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept 139 iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
@@ -158,8 +158,8 @@ table inet filter {
158 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject 158 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
159 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject 159 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
160 160
161 iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop 161 iifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop
162 iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop 162 iifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
163 meta l4proto $icmp_protos counter name icmp-rx accept 163 meta l4proto $icmp_protos counter name icmp-rx accept
164 164
165 iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept 165 iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
@@ -201,8 +201,8 @@ table inet filter {
201 201
202 oifname lo counter name tx-lo accept 202 oifname lo counter name tx-lo accept
203 203
204 oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop 204 oifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop
205 oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop 205 oifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
206 meta l4proto $icmp_protos counter name icmp-tx accept 206 meta l4proto $icmp_protos counter name icmp-tx accept
207 207
208 208
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-11 06:16:34 +0000