From 29480b6e86ca6057d4151accdb5d4103f1657596 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 4 Mar 2023 19:23:36 +0100 Subject: ... --- hosts/vidhar/network/default.nix | 4 ++-- hosts/vidhar/network/dhcp/default.nix | 7 +++---- hosts/vidhar/network/dsl.nix | 15 +-------------- hosts/vidhar/network/ruleset.nft | 22 +++++++++++++++------- 4 files changed, 21 insertions(+), 27 deletions(-) (limited to 'hosts/vidhar/network') diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index ddc5d78d..1d0f5465 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -24,7 +24,7 @@ with lib; { address = "10.141.1.1"; prefixLength = 24; } ]; }; - interfaces."dmz01" = { + interfaces."wifibh" = { ipv4.addresses = [ { address = "10.141.2.1"; prefixLength = 24; } ]; @@ -39,7 +39,7 @@ with lib; id = 3; interface = "eno2"; }; - dmz01 = { + wifibh = { id = 4; interface = "eno2"; }; diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index af7a3545..4d8a54ae 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix @@ -108,10 +108,6 @@ with lib; { hostname = "geri"; hw-address = "0e:e6:43:5e:37:7b"; } - { hostname = "printer"; - hw-address = "30:cd:a7:b0:55:8d"; - ip-address = "10.141.0.2"; - } ]; } { subnet = "10.141.1.0/24"; @@ -122,6 +118,9 @@ with lib; { name = "broadcast-address"; data = "10.141.1.255"; } + { name = "ntp-servers"; + data = "10.141.1.1"; + } { name = "domain-name"; data = "yggdrasil"; } diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 536e0e0d..5b7c5ac7 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix @@ -97,13 +97,6 @@ in { dnssl = [{ domain_names = ["yggdrasil"]; }]; # other_config = true; } - { name = "dmz01"; - advertise = true; - verbose = true; - prefix = [{ prefix = "::/64"; }]; - route = [{ prefix = "::/0"; }]; - rdnss = [{ servers = ["::"]; }]; - } ]; debug = { @@ -123,11 +116,6 @@ in { interface = "lan"; network = "::/0"; }; - dmz01 = { - method = "iface"; - interface = "dmz01"; - network = "::/0"; - }; }; }; }; @@ -170,7 +158,7 @@ in { ''; postStop = '' - for dev in lan dmz01; do + for dev in lan; do ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" done ''; @@ -195,7 +183,6 @@ in { iaid 1195061668 ipv6rs # enable routing solicitation for WAN adapter ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN - ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01 reboot 0 diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index da3a9048..d2c88008 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -59,6 +59,9 @@ table inet filter { counter fw-lo {} counter fw-lan {} counter fw-dsl {} + counter fw-printing {} + + counter fw-cups {} counter reject-ratelimit-fw {} counter reject-fw {} @@ -137,12 +140,17 @@ table inet filter { iifname lo counter name fw-lo accept - oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept - + oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept iifname lan oifname { dsl, bifrost } counter name fw-lan accept - iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept + iifname lan oifname ve-printing ip daddr 10.141.4.1 tcp dport 631 counter name fw-cups accept + iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:4::1 tcp dport 631 counter name fw-cups accept + + + iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept + iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept + limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop log level debug prefix "reject forward: " counter name reject-fw @@ -169,7 +177,7 @@ table inet filter { iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept - iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept + iifname { lan, mgmt, wifibh, yggdrasil, ve-printing } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept @@ -179,9 +187,9 @@ table inet filter { iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept - iifname mgmt udp dport 123 counter name ntp-rx accept + iifname { mgmt, ve-printing } udp dport 123 counter name ntp-rx accept - iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept + iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept @@ -268,4 +276,4 @@ table ip mss_clamp { oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu } -} \ No newline at end of file +} -- cgit v1.2.3