From c923294b84cdd22bc171337335735cd564f9a03c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 14 Jan 2022 04:14:32 +0100 Subject: Revert "vidhar: ..." This reverts commit ac71bc3f6216a247615ce36c6eddf25365b00a76. --- hosts/vidhar/network/default.nix | 94 ++++++++-------------------------------- hosts/vidhar/network/dsl.nix | 15 ++++++- hosts/vidhar/network/ruleset.nft | 47 +++----------------- 3 files changed, 37 insertions(+), 119 deletions(-) (limited to 'hosts/vidhar') diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 29d4ba92..a1d1b172 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -21,7 +21,7 @@ { address = "10.141.1.1"; prefixLength = 24; } ]; }; - interfaces."wifibh" = { + interfaces."dmz01" = { ipv4.addresses = [ { address = "10.141.2.1"; prefixLength = 24; } ]; @@ -32,11 +32,11 @@ id = 2; interface = "eno2"; }; - "eno2.lan" = { + lan = { id = 3; interface = "eno2"; }; - wifibh = { + dmz01 = { id = 4; interface = "eno2"; }; @@ -70,6 +70,13 @@ option domain-name-servers 10.141.1.1; option broadcast-address 10.141.1.255; } + + subnet 10.141.2.0 netmask 255.255.255.0 { + range 10.141.2.128 10.141.2.254; + option domain-name-servers 10.141.2.1; + option broadcast-address 10.141.2.255; + option routers 10.141.2.1; + } ''; machines = [ { @@ -89,81 +96,16 @@ } ]; }; - systemd.network = { - netdevs = { - "wifibh01" = { - netdevConfig = { - Name = "wifibh01"; - Kind = "gretap"; - }; - tunnelConfig = { - Local = "10.141.2.1"; - Remote = "10.141.2.2"; - }; - }; - "wifibh01.lan" = { - netdevConfig = { - Name = "wifibh01.lan"; - Kind = "vlan"; - }; - vlanConfig = { - Id = 2; - }; - }; - lan = { - netdevConfig = { - Name = "lan"; - Kind = "bridge"; - }; + systemd.network.networks = { + "eno1" = { + matchConfig.Name = "eno1"; + linkConfig = { + ActivationPolicy = "down"; }; }; - - networks = { - "eno1" = { - matchConfig.Name = "eno1"; - linkConfig = { - ActivationPolicy = "down"; - }; - }; - "eno2" = { - matchConfig.Name = "eno2"; - networkConfig.LinkLocalAddressing = "no"; - }; - "40-wifibh" = { - matchConfig.Name = "wifibh"; - networkConfig = { - Tunnel = ["wifibh01"]; - }; - }; - "wifibh01" = { - matchConfig.Name = "wifibh01"; - linkConfig = { - MACAddress = "02:01:00:00:00:00"; - RequiredForOnline = false; - }; - networkConfig = { - LinkLocalAddressing = "no"; - VLAN = ["wifibh01.lan"]; - }; - }; - "wifibh01.lan" = { - matchConfig.Name = "wifibh01.lan"; - networkConfig.Bridge = "lan"; - extraConfig = '' - [Bridge] - HairPin = true - Cost = 10 - ''; - }; - "40-eno2.lan" = { - matchConfig.Name = "eno2.lan"; - networkConfig.Bridge = "lan"; - extraConfig = '' - [Bridge] - HairPin = false - Cost = 1 - ''; - }; + "eno2" = { + matchConfig.Name = "eno2"; + networkConfig.LinkLocalAddressing = "no"; }; }; }; diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 9c9a57b8..ae2caec2 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix @@ -95,6 +95,13 @@ in { rdnss = [{ servers = ["::"]; }]; dnssl = [{ domain_names = ["yggdrasil"]; }]; } + { name = "dmz01"; + advertise = true; + verbose = true; + prefix = [{ prefix = "::/64"; }]; + route = [{ prefix = "::/0"; }]; + rdnss = [{ servers = ["::"]; }]; + } ]; debug = { @@ -114,6 +121,11 @@ in { interface = "lan"; network = "::/0"; }; + dmz01 = { + method = "iface"; + interface = "dmz01"; + network = "::/0"; + }; }; }; }; @@ -156,7 +168,7 @@ in { ''; postStop = '' - for dev in lan; do + for dev in lan dmz01; do ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" done ''; @@ -181,6 +193,7 @@ in { iaid 1195061668 ipv6rs # enable routing solicitation for WAN adapter ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN + ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01 reboot 0 diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 0a70da39..fb04e449 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -80,7 +80,6 @@ table inet filter { counter dns-rx {} counter wg-rx {} counter yggdrasil-gre-rx {} - counter wifibh-gre-rx {} counter ipv6-pd-rx {} counter ntp-rx {} counter dhcp-rx {} @@ -107,7 +106,6 @@ table inet filter { counter dns-tx {} counter wg-tx {} counter yggdrasil-gre-tx {} - counter wifibh-gre-tx {} counter ipv6-pd-tx {} counter ntp-tx {} counter dhcp-tx {} @@ -138,7 +136,8 @@ table inet filter { oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept iifname lan oifname dsl counter name fw-lan accept - iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept + iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept + limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop @@ -166,19 +165,18 @@ table inet filter { iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept - iifname { lan, mgmt } tcp dport 53 counter name dns-rx accept - iifname { lan, mgmt } udp dport 53 counter name dns-rx accept + iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept + iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept - iifname wifibh meta l4proto gre counter name wifibh-gre-rx accept iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept iifname mgmt udp dport 123 counter name ntp-rx accept - iifname { lan, mgmt } udp dport 67 counter name dhcp-rx accept + iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept @@ -217,7 +215,6 @@ table inet filter { meta protocol ip udp sport 51820 counter name wg-tx meta protocol ip6 udp sport 51821 counter name wg-tx iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx - iifname wifibh meta l4proto gre counter name wifibh-gre-tx meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx @@ -238,40 +235,6 @@ table inet filter { } } -table bridge filter { - counter invalid-fw {} - counter wifibh-fw {} - counter lan-fw {} - - chain forward { - type filter hook forward priority filter - policy drop - - - log level debug prefix "bridge forward: " - - - ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop - - iifname "wifibh01.lan" counter name wifibh-fw accept - iifname "eno2.lan" counter name lan-fw accept - } - - chain input { - type filter hook input priority filter - policy accept - - log level debug prefix "bridge input: " - } - - chain output { - type filter hook output priority filter - policy accept - - log level debug prefix "bridge output: " - } -} - table ip nat { counter dsl-nat {} -- cgit v1.2.3