summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network/ruleset.nft
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/network/ruleset.nft')
-rw-r--r--hosts/vidhar/network/ruleset.nft19
1 files changed, 9 insertions, 10 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 47a55fcc..deeadeef 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -143,13 +143,14 @@ table inet filter {
143 oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept 143 oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept
144 iifname lan oifname { dsl, bifrost } counter name fw-lan accept 144 iifname lan oifname { dsl, bifrost } counter name fw-lan accept
145 145
146
147 iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept 146 iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept
148 iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept 147 iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept
149 148
149 iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept
150 iifname dsl oifname { lan, ve-printing } ct state { established, related } counter name fw-dsl accept
150 151
151 iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept 152 iifname ve-printing oifname lan ct state { established, related } counter name fw-printing accept
152 iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept 153 iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept
153 154
154 155
155 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop 156 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -191,8 +192,7 @@ table inet filter {
191 192
192 iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept 193 iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept
193 194
194 iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept 195 iifname lan meta l4proto . th dport { udp . 137, udp . 138, tcp . 139, tcp . 445, udp . 3702, tcp . 5357 } counter name samba-rx accept
195 iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
196 196
197 iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept 197 iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
198 iifname lan tcp dport 80 counter name http-rx accept 198 iifname lan tcp dport 80 counter name http-rx accept
@@ -201,7 +201,7 @@ table inet filter {
201 201
202 iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept 202 iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept
203 203
204 ct state {established, related} counter name established-rx accept 204 ct state { established, related } counter name established-rx accept
205 205
206 206
207 limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop 207 limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
@@ -225,12 +225,12 @@ table inet filter {
225 tcp sport 22 counter name ssh-tx 225 tcp sport 22 counter name ssh-tx
226 udp sport 60000-61000 counter name mosh-tx 226 udp sport 60000-61000 counter name mosh-tx
227 227
228 meta l4proto {tcp, udp} th sport 53 counter name dns-tx 228 meta l4proto { tcp, udp } th sport 53 counter name dns-tx
229 229
230 tcp sport 2049 counter name nfs-tx 230 tcp sport 2049 counter name nfs-tx
231 231
232 meta protocol ip udp sport 51820 counter name wg-tx 232 meta protocol ip udp sport 51820 counter name wg-tx
233 meta protocol ip6 udp sport {51821,51822} counter name wg-tx 233 meta protocol ip6 udp sport { 51821, 51822 } counter name wg-tx
234 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx 234 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
235 235
236 meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx 236 meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx
@@ -239,8 +239,7 @@ table inet filter {
239 239
240 udp sport 67 counter name dhcp-tx accept 240 udp sport 67 counter name dhcp-tx accept
241 241
242 udp sport { 137, 138, 3702 } counter name samba-tx accept 242 meta l4proto . th sport { udp . 137, udp . 138, tcp . 139, tcp . 445, udp . 3702, tcp . 5357 } counter name samba-tx accept
243 tcp sport { 445, 139, 5357 } counter name samba-tx accept
244 243
245 tcp sport { 80, 443 } counter name http-tx accept 244 tcp sport { 80, 443 } counter name http-tx accept
246 245