From 67657a453e654811ed5adf45a4c7aab32dc30274 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 6 Feb 2022 17:19:58 +0100 Subject: bifrost: ... --- hosts/surtr/ruleset.nft | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'hosts/surtr/ruleset.nft') diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 132360b9..9d6fd373 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft @@ -1,4 +1,4 @@ -define icmp_protos = { ipv6-icmp, icmp, igmp } +define icmp_protos = {ipv6-icmp, icmp, igmp} table arp filter { limit lim_arp { @@ -44,12 +44,16 @@ table inet filter { iifname lo counter accept - meta l4proto $icmp_protos iifname yggdrasil oifname ens3 limit name lim_icmp counter drop - meta l4proto $icmp_protos iifname yggdrasil oifname ens3 counter accept + meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 limit name lim_icmp counter drop + meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 counter accept meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop meta l4proto $icmp_protos ct state {established, related} counter accept + oifname bifrost counter accept + iifname bifrost oifname ens3 counter accept + + limit name lim_reject log prefix "drop forward: " counter drop log prefix "reject forward: " counter meta l4proto tcp ct state new counter reject with tcp reset @@ -78,13 +82,13 @@ table inet filter { udp dport 60001-61000 counter accept meta protocol ip udp dport 51820 counter accept - meta protocol ip6 udp dport 51821 counter accept + meta protocol ip6 udp dport {51821, 51822} counter accept iifname "yggdrasil-wg-*" meta l4proto gre counter accept tcp dport 53 counter accept udp dport 53 counter accept - tcp dport { 80, 443 } counter accept + tcp dport {80, 443} counter accept ct state {established, related} counter accept -- cgit v1.2.3