From 3442fd12a9305905b9e77ac81cae25d6b5a91b18 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 5 Mar 2023 12:00:31 +0100 Subject: ... --- hosts/vidhar/network/ruleset.nft | 19 +++++++++---------- hosts/vidhar/printing/ruleset.nft | 3 +-- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 47a55fcc..deeadeef 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -143,13 +143,14 @@ table inet filter { oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept iifname lan oifname { dsl, bifrost } counter name fw-lan accept - iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept + iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept + iifname dsl oifname { lan, ve-printing } ct state { established, related } counter name fw-dsl accept - iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept - iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept + iifname ve-printing oifname lan ct state { established, related } counter name fw-printing accept + iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop @@ -191,8 +192,7 @@ table inet filter { iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept - iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept - iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept + iifname lan meta l4proto . th dport { udp . 137, udp . 138, tcp . 139, tcp . 445, udp . 3702, tcp . 5357 } counter name samba-rx accept iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept iifname lan tcp dport 80 counter name http-rx accept @@ -201,7 +201,7 @@ table inet filter { iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept - ct state {established, related} counter name established-rx accept + ct state { established, related } counter name established-rx accept limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop @@ -225,12 +225,12 @@ table inet filter { tcp sport 22 counter name ssh-tx udp sport 60000-61000 counter name mosh-tx - meta l4proto {tcp, udp} th sport 53 counter name dns-tx + meta l4proto { tcp, udp } th sport 53 counter name dns-tx tcp sport 2049 counter name nfs-tx meta protocol ip udp sport 51820 counter name wg-tx - meta protocol ip6 udp sport {51821,51822} counter name wg-tx + meta protocol ip6 udp sport { 51821, 51822 } counter name wg-tx iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx @@ -239,8 +239,7 @@ table inet filter { udp sport 67 counter name dhcp-tx accept - udp sport { 137, 138, 3702 } counter name samba-tx accept - tcp sport { 445, 139, 5357 } counter name samba-tx accept + meta l4proto . th sport { udp . 137, udp . 138, tcp . 139, tcp . 445, udp . 3702, tcp . 5357 } counter name samba-tx accept tcp sport { 80, 443 } counter name http-tx accept diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft index f8081431..edf8597d 100644 --- a/hosts/vidhar/printing/ruleset.nft +++ b/hosts/vidhar/printing/ruleset.nft @@ -130,8 +130,7 @@ table inet filter { meta l4proto $icmp_protos counter name icmp-rx accept - ip6 saddr 2a03:4000:52:ada:5:: tcp dport 631 counter name cups-rx accept - ip saddr 10.141.5.0 tcp dport 631 counter name cups-rx accept + tcp dport 631 counter name cups-rx accept iifname printer udp dport 67 counter name dhcp-rx accept -- cgit v1.2.3