dadada/nix-config
dadada/nix-config
1
0
Fork 0
Code Issues 2 Pull requests 5 Projects Releases Packages Wiki Activity Actions

agares: add firewall rules allowing some traffic from services

Browse source
This commit is contained in:
Tim Schubert 2023-11-05 00:57:05 +01:00
parent 972f729438
commit 39a33ac0d2
Signed by: dadada
SSH key fingerprint: SHA256:bFAjFH3hR8zRBaJjzQDjc3o4jqoq5EZ87l+KXEjxIz0
1 changed files with 13 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

16
nixos/agares/rules.nft
View file

@ -69,13 +69,23 @@ table inet filter {
udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk"
}
chain input_srv {
jump input_icmp_untrusted
# DHCP
meta nfproto ipv6 udp dport 547 accept comment "Allow DHCPv6 client"
# Allow DNS and DHCP from SRV
udp dport { 53, 67 } accept comment "Allow DNS and DHCP from services"
}
chain input {
type filter hook input priority filter; policy drop;
ct state {established, related} counter accept comment "Accept packets from established and related connections"
ct state invalid counter drop comment "Early drop of invalid packets"
iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt }
iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, $IF_SRV : jump input_srv }
}
# Only works if hardware flow offloading is available
@ -107,7 +117,7 @@ table inet filter {
iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt"
# FF -> WAN
iifname $IF_FF oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk to WAN"
iifname { $IF_FF, $IF_SRV } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN"
# { WAN, SRV } -> { FF, LAN, RW, SRV }
iifname { $IF_WAN, $IF_SRV } oifname { $IF_FF, $IF_LAN, $IF_ROADW, $IF_SRV } ct state established,related counter accept comment "Allow established back from WAN and SRV"
@ -135,6 +145,6 @@ table ip nat {
table arp filter {
chain input {
type filter hook input priority filter; policy drop;
iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, modem"
iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_SRV, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, SRV, modem"
}
}