From ddcc8c65e30a9ca3b56e25466e749cb100b28510 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 22 Oct 2022 19:33:45 +0200
Subject: ...

---
 hosts/vidhar/network/ruleset.nft | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

(limited to 'hosts/vidhar/network/ruleset.nft')

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index c0da0fa6..473f8a20 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -78,6 +78,7 @@ table inet filter {
   counter ssh-rx {}
   counter mosh-rx {}
   counter dns-rx {}
+  counter nfs-rx {}
   counter wg-rx {}
   counter yggdrasil-gre-rx {}
   counter ipv6-pd-rx {}
@@ -104,6 +105,7 @@ table inet filter {
   counter ssh-tx {}
   counter mosh-tx {}
   counter dns-tx {}
+  counter nfs-tx {}
   counter wg-tx {}
   counter yggdrasil-gre-tx {}
   counter ipv6-pd-tx {}
@@ -152,7 +154,7 @@ table inet filter {
 
 
     ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
-    
+
 
     iifname lo counter name rx-lo accept
     iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
@@ -165,8 +167,9 @@ table inet filter {
     iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
     iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
 
-    iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept
-    iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept
+    iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
+
+    iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
 
     iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
     iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
@@ -182,7 +185,8 @@ table inet filter {
     iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
 
     iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
-    
+    iifname lan tcp dport 80 counter name http-rx accept
+
     iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
 
     ct state {established, related} counter name established-rx accept
@@ -209,8 +213,9 @@ table inet filter {
     tcp sport 22 counter name ssh-tx
     udp sport 60000-61000 counter name mosh-tx
 
-    tcp sport 53 counter name dns-tx
-    udp sport 53 counter name dns-tx
+    meta l4proto {tcp, udp} th sport 53 counter name dns-tx
+
+    tcp sport 2049 counter name nfs-tx
 
     meta protocol ip udp sport 51820 counter name wg-tx
     meta protocol ip6 udp sport {51821,51822} counter name wg-tx
@@ -225,7 +230,7 @@ table inet filter {
     udp sport { 137, 138, 3702 } counter name samba-tx accept
     tcp sport { 445, 139, 5357 } counter name samba-tx accept
 
-    tcp sport {80,443} counter name http-tx accept
+    tcp sport { 80, 443 } counter name http-tx accept
 
     udp sport 69 counter name tftp-tx accept
     udp dport 69 counter name tftp-tx accept
-- 
cgit v1.2.3