diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-05 12:00:31 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-05 12:00:31 +0100 |
commit | 3442fd12a9305905b9e77ac81cae25d6b5a91b18 (patch) | |
tree | e85d5108b1218158ccfda32677232fb7a2d47337 /hosts | |
parent | 73d27b7275b155fa6572a5ea23717ff2f4ee8dc9 (diff) | |
download | nixos-3442fd12a9305905b9e77ac81cae25d6b5a91b18.tar nixos-3442fd12a9305905b9e77ac81cae25d6b5a91b18.tar.gz nixos-3442fd12a9305905b9e77ac81cae25d6b5a91b18.tar.bz2 nixos-3442fd12a9305905b9e77ac81cae25d6b5a91b18.tar.xz nixos-3442fd12a9305905b9e77ac81cae25d6b5a91b18.zip |
...
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/vidhar/network/ruleset.nft | 19 | ||||
-rw-r--r-- | hosts/vidhar/printing/ruleset.nft | 3 |
2 files changed, 10 insertions, 12 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 47a55fcc..deeadeef 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
@@ -143,13 +143,14 @@ table inet filter { | |||
143 | oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept | 143 | oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept |
144 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept | 144 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept |
145 | 145 | ||
146 | |||
147 | iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept | 146 | iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept |
148 | iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept | 147 | iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept |
149 | 148 | ||
149 | iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept | ||
150 | iifname dsl oifname { lan, ve-printing } ct state { established, related } counter name fw-dsl accept | ||
150 | 151 | ||
151 | iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept | 152 | iifname ve-printing oifname lan ct state { established, related } counter name fw-printing accept |
152 | iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept | 153 | iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept |
153 | 154 | ||
154 | 155 | ||
155 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | 156 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
@@ -191,8 +192,7 @@ table inet filter { | |||
191 | 192 | ||
192 | iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept | 193 | iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept |
193 | 194 | ||
194 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept | 195 | iifname lan meta l4proto . th dport { udp . 137, udp . 138, tcp . 139, tcp . 445, udp . 3702, tcp . 5357 } counter name samba-rx accept |
195 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | ||
196 | 196 | ||
197 | iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept | 197 | iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept |
198 | iifname lan tcp dport 80 counter name http-rx accept | 198 | iifname lan tcp dport 80 counter name http-rx accept |
@@ -201,7 +201,7 @@ table inet filter { | |||
201 | 201 | ||
202 | iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept | 202 | iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept |
203 | 203 | ||
204 | ct state {established, related} counter name established-rx accept | 204 | ct state { established, related } counter name established-rx accept |
205 | 205 | ||
206 | 206 | ||
207 | limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop | 207 | limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop |
@@ -225,12 +225,12 @@ table inet filter { | |||
225 | tcp sport 22 counter name ssh-tx | 225 | tcp sport 22 counter name ssh-tx |
226 | udp sport 60000-61000 counter name mosh-tx | 226 | udp sport 60000-61000 counter name mosh-tx |
227 | 227 | ||
228 | meta l4proto {tcp, udp} th sport 53 counter name dns-tx | 228 | meta l4proto { tcp, udp } th sport 53 counter name dns-tx |
229 | 229 | ||
230 | tcp sport 2049 counter name nfs-tx | 230 | tcp sport 2049 counter name nfs-tx |
231 | 231 | ||
232 | meta protocol ip udp sport 51820 counter name wg-tx | 232 | meta protocol ip udp sport 51820 counter name wg-tx |
233 | meta protocol ip6 udp sport {51821,51822} counter name wg-tx | 233 | meta protocol ip6 udp sport { 51821, 51822 } counter name wg-tx |
234 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx | 234 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx |
235 | 235 | ||
236 | meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx | 236 | meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx |
@@ -239,8 +239,7 @@ table inet filter { | |||
239 | 239 | ||
240 | udp sport 67 counter name dhcp-tx accept | 240 | udp sport 67 counter name dhcp-tx accept |
241 | 241 | ||
242 | udp sport { 137, 138, 3702 } counter name samba-tx accept | 242 | meta l4proto . th sport { udp . 137, udp . 138, tcp . 139, tcp . 445, udp . 3702, tcp . 5357 } counter name samba-tx accept |
243 | tcp sport { 445, 139, 5357 } counter name samba-tx accept | ||
244 | 243 | ||
245 | tcp sport { 80, 443 } counter name http-tx accept | 244 | tcp sport { 80, 443 } counter name http-tx accept |
246 | 245 | ||
diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft index f8081431..edf8597d 100644 --- a/hosts/vidhar/printing/ruleset.nft +++ b/hosts/vidhar/printing/ruleset.nft | |||
@@ -130,8 +130,7 @@ table inet filter { | |||
130 | meta l4proto $icmp_protos counter name icmp-rx accept | 130 | meta l4proto $icmp_protos counter name icmp-rx accept |
131 | 131 | ||
132 | 132 | ||
133 | ip6 saddr 2a03:4000:52:ada:5:: tcp dport 631 counter name cups-rx accept | 133 | tcp dport 631 counter name cups-rx accept |
134 | ip saddr 10.141.5.0 tcp dport 631 counter name cups-rx accept | ||
135 | 134 | ||
136 | iifname printer udp dport 67 counter name dhcp-rx accept | 135 | iifname printer udp dport 67 counter name dhcp-rx accept |
137 | 136 | ||