From c09d60d686dc53e19dbfb5d58fa705ad4a2ec06c Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 28 Dec 2021 21:42:05 +0100
Subject: vidhar: samba

---
 hosts/vidhar/ruleset.nft | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

(limited to 'hosts/vidhar/ruleset.nft')

diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index 9135327f..53ae3c92 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -42,6 +42,13 @@ table inet filter {
   }
 
 
+  chain forward_icmp_accept {
+    oifname dsl limit name lim_icmp_dsl counter drop
+    iifname dsl limit name lim_icmp_dsl counter drop
+    oifname != dsl limit name lim_icmp_local counter drop
+    iifname != dsl limit name lim_icmp_local counter drop
+    counter accept
+  }
   chain forward {
     type filter hook forward priority filter
     policy drop
@@ -52,11 +59,7 @@ table inet filter {
 
     iifname lo counter accept
 
-    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
-    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
-    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
-    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
-    meta l4proto $icmp_protos counter accept
+    oifname {eno1, dsl} meta l4proto $icmp_protos forward_icmp_accept
 
     iifname eno1 oifname dsl counter accept
     iifname dsl oifname eno1 ct state {established, related} counter accept
@@ -104,6 +107,9 @@ table inet filter {
 
     iifname {eno1, mgmt} udp dport 67 counter accept
 
+    iifname eno1 udp dport { 137, 138, 3702 } counter accept
+    iifname eno1 tcp dport { 445, 139, 5357 } counter accept
+
     ct state {established, related} counter accept
 
 
-- 
cgit v1.2.3