summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/network')
-rw-r--r--hosts/vidhar/network/default.nix4
-rw-r--r--hosts/vidhar/network/dhcp/default.nix7
-rw-r--r--hosts/vidhar/network/dsl.nix15
-rw-r--r--hosts/vidhar/network/ruleset.nft22
4 files changed, 21 insertions, 27 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index ddc5d78d..1d0f5465 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -24,7 +24,7 @@ with lib;
24 { address = "10.141.1.1"; prefixLength = 24; } 24 { address = "10.141.1.1"; prefixLength = 24; }
25 ]; 25 ];
26 }; 26 };
27 interfaces."dmz01" = { 27 interfaces."wifibh" = {
28 ipv4.addresses = [ 28 ipv4.addresses = [
29 { address = "10.141.2.1"; prefixLength = 24; } 29 { address = "10.141.2.1"; prefixLength = 24; }
30 ]; 30 ];
@@ -39,7 +39,7 @@ with lib;
39 id = 3; 39 id = 3;
40 interface = "eno2"; 40 interface = "eno2";
41 }; 41 };
42 dmz01 = { 42 wifibh = {
43 id = 4; 43 id = 4;
44 interface = "eno2"; 44 interface = "eno2";
45 }; 45 };
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index af7a3545..4d8a54ae 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -108,10 +108,6 @@ with lib;
108 { hostname = "geri"; 108 { hostname = "geri";
109 hw-address = "0e:e6:43:5e:37:7b"; 109 hw-address = "0e:e6:43:5e:37:7b";
110 } 110 }
111 { hostname = "printer";
112 hw-address = "30:cd:a7:b0:55:8d";
113 ip-address = "10.141.0.2";
114 }
115 ]; 111 ];
116 } 112 }
117 { subnet = "10.141.1.0/24"; 113 { subnet = "10.141.1.0/24";
@@ -122,6 +118,9 @@ with lib;
122 { name = "broadcast-address"; 118 { name = "broadcast-address";
123 data = "10.141.1.255"; 119 data = "10.141.1.255";
124 } 120 }
121 { name = "ntp-servers";
122 data = "10.141.1.1";
123 }
125 { name = "domain-name"; 124 { name = "domain-name";
126 data = "yggdrasil"; 125 data = "yggdrasil";
127 } 126 }
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix
index 536e0e0d..5b7c5ac7 100644
--- a/hosts/vidhar/network/dsl.nix
+++ b/hosts/vidhar/network/dsl.nix
@@ -97,13 +97,6 @@ in {
97 dnssl = [{ domain_names = ["yggdrasil"]; }]; 97 dnssl = [{ domain_names = ["yggdrasil"]; }];
98 # other_config = true; 98 # other_config = true;
99 } 99 }
100 { name = "dmz01";
101 advertise = true;
102 verbose = true;
103 prefix = [{ prefix = "::/64"; }];
104 route = [{ prefix = "::/0"; }];
105 rdnss = [{ servers = ["::"]; }];
106 }
107 ]; 100 ];
108 101
109 debug = { 102 debug = {
@@ -123,11 +116,6 @@ in {
123 interface = "lan"; 116 interface = "lan";
124 network = "::/0"; 117 network = "::/0";
125 }; 118 };
126 dmz01 = {
127 method = "iface";
128 interface = "dmz01";
129 network = "::/0";
130 };
131 }; 119 };
132 }; 120 };
133 }; 121 };
@@ -170,7 +158,7 @@ in {
170 ''; 158 '';
171 159
172 postStop = '' 160 postStop = ''
173 for dev in lan dmz01; do 161 for dev in lan; do
174 ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" 162 ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
175 done 163 done
176 ''; 164 '';
@@ -195,7 +183,6 @@ in {
195 iaid 1195061668 183 iaid 1195061668
196 ipv6rs # enable routing solicitation for WAN adapter 184 ipv6rs # enable routing solicitation for WAN adapter
197 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN 185 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
198 ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01
199 186
200 reboot 0 187 reboot 0
201 188
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index da3a9048..d2c88008 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -59,6 +59,9 @@ table inet filter {
59 counter fw-lo {} 59 counter fw-lo {}
60 counter fw-lan {} 60 counter fw-lan {}
61 counter fw-dsl {} 61 counter fw-dsl {}
62 counter fw-printing {}
63
64 counter fw-cups {}
62 65
63 counter reject-ratelimit-fw {} 66 counter reject-ratelimit-fw {}
64 counter reject-fw {} 67 counter reject-fw {}
@@ -137,12 +140,17 @@ table inet filter {
137 140
138 iifname lo counter name fw-lo accept 141 iifname lo counter name fw-lo accept
139 142
140 oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept 143 oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept
141
142 iifname lan oifname { dsl, bifrost } counter name fw-lan accept 144 iifname lan oifname { dsl, bifrost } counter name fw-lan accept
143 iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
144 145
145 146
147 iifname lan oifname ve-printing ip daddr 10.141.4.1 tcp dport 631 counter name fw-cups accept
148 iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:4::1 tcp dport 631 counter name fw-cups accept
149
150
151 iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept
152 iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept
153
146 154
147 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop 155 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
148 log level debug prefix "reject forward: " counter name reject-fw 156 log level debug prefix "reject forward: " counter name reject-fw
@@ -169,7 +177,7 @@ table inet filter {
169 iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept 177 iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
170 iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept 178 iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
171 179
172 iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept 180 iifname { lan, mgmt, wifibh, yggdrasil, ve-printing } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
173 181
174 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept 182 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
175 183
@@ -179,9 +187,9 @@ table inet filter {
179 187
180 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept 188 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
181 189
182 iifname mgmt udp dport 123 counter name ntp-rx accept 190 iifname { mgmt, ve-printing } udp dport 123 counter name ntp-rx accept
183 191
184 iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept 192 iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept
185 193
186 iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept 194 iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept
187 iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept 195 iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
@@ -268,4 +276,4 @@ table ip mss_clamp {
268 276
269 oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu 277 oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu
270 } 278 }
271} \ No newline at end of file 279}
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-21 19:00:51 +0000