dadada/nix-config
dadada/nix-config
1
0
Fork 0
Code Issues 2 Pull requests 5 Projects Releases Packages Wiki Activity Actions

agares: add firewall rules allowing some traffic from services

Browse source
This commit is contained in:
Tim Schubert 2023-11-05 00:57:05 +01:00
parent 972f729438
commit 39a33ac0d2
Signed by: dadada
SSH key fingerprint: SHA256:bFAjFH3hR8zRBaJjzQDjc3o4jqoq5EZ87l+KXEjxIz0
1 changed files with 13 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

16
nixos/agares/rules.nft
View file

@ -69,13 +69,23 @@ table inet filter {
udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk" udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk"
} }
chain input_srv {
jump input_icmp_untrusted
# DHCP
meta nfproto ipv6 udp dport 547 accept comment "Allow DHCPv6 client"
# Allow DNS and DHCP from SRV
udp dport { 53, 67 } accept comment "Allow DNS and DHCP from services"
}
chain input { chain input {
type filter hook input priority filter; policy drop; type filter hook input priority filter; policy drop;
ct state {established, related} counter accept comment "Accept packets from established and related connections" ct state {established, related} counter accept comment "Accept packets from established and related connections"
ct state invalid counter drop comment "Early drop of invalid packets" ct state invalid counter drop comment "Early drop of invalid packets"
iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt } iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, $IF_SRV : jump input_srv }
} }
# Only works if hardware flow offloading is available # Only works if hardware flow offloading is available
@ -107,7 +117,7 @@ table inet filter {
iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt" iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt"
# FF -> WAN # FF -> WAN
iifname $IF_FF oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk to WAN" iifname { $IF_FF, $IF_SRV } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN"
# { WAN, SRV } -> { FF, LAN, RW, SRV } # { WAN, SRV } -> { FF, LAN, RW, SRV }
iifname { $IF_WAN, $IF_SRV } oifname { $IF_FF, $IF_LAN, $IF_ROADW, $IF_SRV } ct state established,related counter accept comment "Allow established back from WAN and SRV" iifname { $IF_WAN, $IF_SRV } oifname { $IF_FF, $IF_LAN, $IF_ROADW, $IF_SRV } ct state established,related counter accept comment "Allow established back from WAN and SRV"
@ -135,6 +145,6 @@ table ip nat {
table arp filter { table arp filter {
chain input { chain input {
type filter hook input priority filter; policy drop; type filter hook input priority filter; policy drop;
iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, modem" iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_SRV, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, SRV, modem"
} }
} }