2 files changed, 50 insertions, 4 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index deeadeef..2080cf64 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -146,8 +146,8 @@ table inet filter {
    iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept
    iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept
-    iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept
+    # iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept
-    iifname dsl oifname { lan, ve-printing } ct state { established, related } counter name fw-dsl accept
+    # iifname dsl oifname ve-printing ct state { established, related } counter name fw-dsl accept
    iifname ve-printing oifname lan ct state { established, related } counter name fw-printing accept
    iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept
diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix
index d844823b..55c55b37 100644
--- a/hosts/vidhar/printing/default.nix
+++ b/hosts/vidhar/printing/default.nix
@@ -78,10 +78,56 @@ in {
              listenAddresses = [
                "*:631"
              ];
-              allowFrom = [ "all" ];
+              logLevel = "all";
-              extraConf = ''
+              extraConf = mkForce ''
                ServerName printing
                ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil
+                DefaultEncryption Never
+                <Location />
+                  Order allow,deny
+                  Allow from 10.0.0.0/8
+                  Satisfy any
+                </Location>
+                <Location /admin>
+                  Order allow,deny
+                  Allow from 10.0.0.0/8
+                  Satisfy any
+                </Location>
+                <Location /admin/conf>
+                  Order allow,deny
+                  Allow from 10.0.0.0/8
+                  Satisfy any
+                </Location>
+                <Policy default>
+                  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
+                    Order allow,deny
+                    Allow from 10.0.0.0/8
+                    Satisfy any
+                  </Limit>
+                  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
+                    Order allow,deny
+                    Allow from 10.0.0.0/8
+                    Satisfy any
+                  </Limit>
+                  <Limit Cancel-Job CUPS-Authenticate-Job>
+                    Order allow,deny
+                    Allow from 10.0.0.0/8
+                    Satisfy any
+                  </Limit>
+                  <Limit All>
+                    Order allow,deny
+                    Allow from 10.0.0.0/8
+                    Satisfy any
+                  </Limit>
+                </Policy>
              '';
            };

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index deeadeef..2080cf64 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -146,8 +146,8 @@ table inet filter {
146	iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept	146	iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept
147	iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept	147	iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept
148		148
149	iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept	149	# iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept
150	iifname dsl oifname { lan, ve-printing } ct state { established, related } counter name fw-dsl accept	150	# iifname dsl oifname ve-printing ct state { established, related } counter name fw-dsl accept
151		151
152	iifname ve-printing oifname lan ct state { established, related } counter name fw-printing accept	152	iifname ve-printing oifname lan ct state { established, related } counter name fw-printing accept
153	iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept	153	iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept


diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix index d844823b..55c55b37 100644 --- a/hosts/vidhar/printing/default.nix +++ b/hosts/vidhar/printing/default.nix
@@ -78,10 +78,56 @@ in {
78	listenAddresses = [	78	listenAddresses = [
79	"*:631"	79	"*:631"
80	];	80	];
81	allowFrom = [ "all" ];	81	logLevel = "all";
82	extraConf = ''	82	extraConf = mkForce ''
83	ServerName printing	83	ServerName printing
84	ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil	84	ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil
		85
		86	DefaultEncryption Never
		87
		88	<Location />
		89	Order allow,deny
		90	Allow from 10.0.0.0/8
		91	Satisfy any
		92	</Location>
		93
		94	<Location /admin>
		95	Order allow,deny
		96	Allow from 10.0.0.0/8
		97	Satisfy any
		98	</Location>
		99
		100	<Location /admin/conf>
		101	Order allow,deny
		102	Allow from 10.0.0.0/8
		103	Satisfy any
		104	</Location>
		105
		106	<Policy default>
		107	<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
		108	Order allow,deny
		109	Allow from 10.0.0.0/8
		110	Satisfy any
		111	</Limit>
		112
		113	<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
		114	Order allow,deny
		115	Allow from 10.0.0.0/8
		116	Satisfy any
		117	</Limit>
		118
		119	<Limit Cancel-Job CUPS-Authenticate-Job>
		120	Order allow,deny
		121	Allow from 10.0.0.0/8
		122	Satisfy any
		123	</Limit>
		124
		125	<Limit All>
		126	Order allow,deny
		127	Allow from 10.0.0.0/8
		128	Satisfy any
		129	</Limit>
		130	</Policy>
85	'';	131	'';
86	};	132	};
87		133