From 3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 13 Dec 2021 21:36:34 +0100 Subject: surtr: nftables... --- hosts/surtr/dns/default.nix | 9 --------- hosts/surtr/ruleset.nft | 3 +++ 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index ce909b72..746b3ee8 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -7,15 +7,6 @@ }; systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; - - networking.firewall = { - allowedTCPPorts = [ - 53 # DNS - ]; - allowedUDPPorts = [ - 53 # DNS - ]; - }; services.knot = { enable = true; diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 6b47751f..f8cadc94 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft @@ -79,6 +79,9 @@ table inet filter { meta protocol ip6 udp dport 51821 counter accept udp dport 60000-61000 counter accept + tcp dport 53 counter accept + udp dport 53 counter accept + limit name lim_reject log prefix "drop input: " counter drop log prefix "reject input: " counter -- cgit v1.2.3