From 3dd95b2119e7ddf3ac68aa5a744076e2daa4e99f Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 13 Dec 2021 21:36:34 +0100
Subject: surtr: nftables...

---
 hosts/surtr/dns/default.nix | 9 ---------
 hosts/surtr/ruleset.nft     | 3 +++
 2 files changed, 3 insertions(+), 9 deletions(-)

(limited to 'hosts/surtr')

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index ce909b72..746b3ee8 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -7,15 +7,6 @@
       };
 
     systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
-
-    networking.firewall = {
-      allowedTCPPorts = [
-        53 # DNS
-      ];
-      allowedUDPPorts = [
-        53 # DNS
-      ];
-    };
     
     services.knot = {
       enable = true;
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 6b47751f..f8cadc94 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -79,6 +79,9 @@ table inet filter {
     meta protocol ip6 udp dport 51821 counter accept
     udp dport 60000-61000 counter accept
 
+    tcp dport 53 counter accept
+    udp dport 53 counter accept
+
 
     limit name lim_reject log prefix "drop input: " counter drop
     log prefix "reject input: " counter
-- 
cgit v1.2.3