diff options
Diffstat (limited to 'hosts/vidhar/network/ruleset.nft')
-rw-r--r-- | hosts/vidhar/network/ruleset.nft | 47 |
1 files changed, 5 insertions, 42 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 0a70da39..fb04e449 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
@@ -80,7 +80,6 @@ table inet filter { | |||
80 | counter dns-rx {} | 80 | counter dns-rx {} |
81 | counter wg-rx {} | 81 | counter wg-rx {} |
82 | counter yggdrasil-gre-rx {} | 82 | counter yggdrasil-gre-rx {} |
83 | counter wifibh-gre-rx {} | ||
84 | counter ipv6-pd-rx {} | 83 | counter ipv6-pd-rx {} |
85 | counter ntp-rx {} | 84 | counter ntp-rx {} |
86 | counter dhcp-rx {} | 85 | counter dhcp-rx {} |
@@ -107,7 +106,6 @@ table inet filter { | |||
107 | counter dns-tx {} | 106 | counter dns-tx {} |
108 | counter wg-tx {} | 107 | counter wg-tx {} |
109 | counter yggdrasil-gre-tx {} | 108 | counter yggdrasil-gre-tx {} |
110 | counter wifibh-gre-tx {} | ||
111 | counter ipv6-pd-tx {} | 109 | counter ipv6-pd-tx {} |
112 | counter ntp-tx {} | 110 | counter ntp-tx {} |
113 | counter dhcp-tx {} | 111 | counter dhcp-tx {} |
@@ -138,7 +136,8 @@ table inet filter { | |||
138 | oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept | 136 | oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept |
139 | 137 | ||
140 | iifname lan oifname dsl counter name fw-lan accept | 138 | iifname lan oifname dsl counter name fw-lan accept |
141 | iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept | 139 | iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept |
140 | |||
142 | 141 | ||
143 | 142 | ||
144 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | 143 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
@@ -166,19 +165,18 @@ table inet filter { | |||
166 | iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept | 165 | iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept |
167 | iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept | 166 | iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept |
168 | 167 | ||
169 | iifname { lan, mgmt } tcp dport 53 counter name dns-rx accept | 168 | iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept |
170 | iifname { lan, mgmt } udp dport 53 counter name dns-rx accept | 169 | iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept |
171 | 170 | ||
172 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept | 171 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept |
173 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept | 172 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept |
174 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept | 173 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept |
175 | iifname wifibh meta l4proto gre counter name wifibh-gre-rx accept | ||
176 | 174 | ||
177 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 175 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept |
178 | 176 | ||
179 | iifname mgmt udp dport 123 counter name ntp-rx accept | 177 | iifname mgmt udp dport 123 counter name ntp-rx accept |
180 | 178 | ||
181 | iifname { lan, mgmt } udp dport 67 counter name dhcp-rx accept | 179 | iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept |
182 | 180 | ||
183 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept | 181 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept |
184 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | 182 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept |
@@ -217,7 +215,6 @@ table inet filter { | |||
217 | meta protocol ip udp sport 51820 counter name wg-tx | 215 | meta protocol ip udp sport 51820 counter name wg-tx |
218 | meta protocol ip6 udp sport 51821 counter name wg-tx | 216 | meta protocol ip6 udp sport 51821 counter name wg-tx |
219 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx | 217 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx |
220 | iifname wifibh meta l4proto gre counter name wifibh-gre-tx | ||
221 | 218 | ||
222 | meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx | 219 | meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx |
223 | 220 | ||
@@ -238,40 +235,6 @@ table inet filter { | |||
238 | } | 235 | } |
239 | } | 236 | } |
240 | 237 | ||
241 | table bridge filter { | ||
242 | counter invalid-fw {} | ||
243 | counter wifibh-fw {} | ||
244 | counter lan-fw {} | ||
245 | |||
246 | chain forward { | ||
247 | type filter hook forward priority filter | ||
248 | policy drop | ||
249 | |||
250 | |||
251 | log level debug prefix "bridge forward: " | ||
252 | |||
253 | |||
254 | ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop | ||
255 | |||
256 | iifname "wifibh01.lan" counter name wifibh-fw accept | ||
257 | iifname "eno2.lan" counter name lan-fw accept | ||
258 | } | ||
259 | |||
260 | chain input { | ||
261 | type filter hook input priority filter | ||
262 | policy accept | ||
263 | |||
264 | log level debug prefix "bridge input: " | ||
265 | } | ||
266 | |||
267 | chain output { | ||
268 | type filter hook output priority filter | ||
269 | policy accept | ||
270 | |||
271 | log level debug prefix "bridge output: " | ||
272 | } | ||
273 | } | ||
274 | |||
275 | table ip nat { | 238 | table ip nat { |
276 | counter dsl-nat {} | 239 | counter dsl-nat {} |
277 | 240 | ||