summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/surtr/dns/default.nix9
-rw-r--r--hosts/surtr/ruleset.nft3
2 files changed, 3 insertions, 9 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index ce909b72..746b3ee8 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -7,15 +7,6 @@
7 }; 7 };
8 8
9 systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; 9 systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
10
11 networking.firewall = {
12 allowedTCPPorts = [
13 53 # DNS
14 ];
15 allowedUDPPorts = [
16 53 # DNS
17 ];
18 };
19 10
20 services.knot = { 11 services.knot = {
21 enable = true; 12 enable = true;
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 6b47751f..f8cadc94 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -79,6 +79,9 @@ table inet filter {
79 meta protocol ip6 udp dport 51821 counter accept 79 meta protocol ip6 udp dport 51821 counter accept
80 udp dport 60000-61000 counter accept 80 udp dport 60000-61000 counter accept
81 81
82 tcp dport 53 counter accept
83 udp dport 53 counter accept
84
82 85
83 limit name lim_reject log prefix "drop input: " counter drop 86 limit name lim_reject log prefix "drop input: " counter drop
84 log prefix "reject input: " counter 87 log prefix "reject input: " counter