diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-13 21:41:10 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-13 21:41:10 +0100 |
| commit | d8922d513a35bf5e7d75ea0d812d7dcdb6f2c395 (patch) | |
| tree | 5db2e4ca378b260ae09c9a57971e77bc425e4cb1 /hosts | |
| parent | 3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f (diff) | |
| download | nixos-d8922d513a35bf5e7d75ea0d812d7dcdb6f2c395.tar nixos-d8922d513a35bf5e7d75ea0d812d7dcdb6f2c395.tar.gz nixos-d8922d513a35bf5e7d75ea0d812d7dcdb6f2c395.tar.bz2 nixos-d8922d513a35bf5e7d75ea0d812d7dcdb6f2c395.tar.xz nixos-d8922d513a35bf5e7d75ea0d812d7dcdb6f2c395.zip | |
nftables: ...
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/surtr/ruleset.nft | 4 | ||||
| -rw-r--r-- | hosts/vidhar/ruleset.nft | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index f8cadc94..0a9ff530 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft | |||
| @@ -72,8 +72,6 @@ table inet filter { | |||
| 72 | meta l4proto $icmp_protos limit name lim_icmp counter drop | 72 | meta l4proto $icmp_protos limit name lim_icmp counter drop |
| 73 | meta l4proto $icmp_protos counter accept | 73 | meta l4proto $icmp_protos counter accept |
| 74 | 74 | ||
| 75 | ct state {established, related} counter accept | ||
| 76 | |||
| 77 | tcp dport 22 counter accept | 75 | tcp dport 22 counter accept |
| 78 | meta protocol ip udp dport 51820 counter accept | 76 | meta protocol ip udp dport 51820 counter accept |
| 79 | meta protocol ip6 udp dport 51821 counter accept | 77 | meta protocol ip6 udp dport 51821 counter accept |
| @@ -82,6 +80,8 @@ table inet filter { | |||
| 82 | tcp dport 53 counter accept | 80 | tcp dport 53 counter accept |
| 83 | udp dport 53 counter accept | 81 | udp dport 53 counter accept |
| 84 | 82 | ||
| 83 | ct state {established, related} counter accept | ||
| 84 | |||
| 85 | 85 | ||
| 86 | limit name lim_reject log prefix "drop input: " counter drop | 86 | limit name lim_reject log prefix "drop input: " counter drop |
| 87 | log prefix "reject input: " counter | 87 | log prefix "reject input: " counter |
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index 3d4d1bb0..ca0e5716 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft | |||
| @@ -88,14 +88,14 @@ table inet filter { | |||
| 88 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop | 88 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop |
| 89 | meta l4proto $icmp_protos counter accept | 89 | meta l4proto $icmp_protos counter accept |
| 90 | 90 | ||
| 91 | ct state {established, related} counter accept | ||
| 92 | |||
| 93 | tcp dport 22 counter accept | 91 | tcp dport 22 counter accept |
| 94 | meta protocol ip udp dport 51820 counter accept | 92 | meta protocol ip udp dport 51820 counter accept |
| 95 | udp dport 60000-61000 counter accept | 93 | udp dport 60000-61000 counter accept |
| 96 | 94 | ||
| 97 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept | 95 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept |
| 98 | 96 | ||
| 97 | ct state {established, related} counter accept | ||
| 98 | |||
| 99 | 99 | ||
| 100 | limit name lim_reject log prefix "drop input: " counter drop | 100 | limit name lim_reject log prefix "drop input: " counter drop |
| 101 | log prefix "reject input: " counter | 101 | log prefix "reject input: " counter |