40 lines
1.4 KiB
Nix
40 lines
1.4 KiB
Nix
{
|
|
services.ferm = {
|
|
enable = true;
|
|
config = ''
|
|
domain ip table filter chain INPUT proto icmp ACCEPT;
|
|
domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT;
|
|
domain (ip ip6) table filter {
|
|
chain INPUT {
|
|
policy DROP;
|
|
interface lo ACCEPT;
|
|
interface tailscale0 ACCEPT;
|
|
interface intern-+ ACCEPT;
|
|
proto tcp dport (22 53 80 443 6900 8000 http https ) ACCEPT;
|
|
proto udp dport (22 53 480:500 6900 8000 ) ACCEPT;
|
|
proto tcp dport (179) ACCEPT;
|
|
# dns
|
|
proto (udp tcp) dport domain ACCEPT;
|
|
mod state state (INVALID) DROP;
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
}
|
|
chain OUTPUT {
|
|
policy ACCEPT;
|
|
}
|
|
chain FORWARD {
|
|
policy DROP;
|
|
# allow intern routing and dn42 forwarding
|
|
interface dn42-+ outerface dn42-+ ACCEPT;
|
|
interface intern-+ outerface intern-+ ACCEPT;
|
|
interface intern-+ outerface dn42-+ ACCEPT;
|
|
# but dn42 -> intern only with execptions
|
|
interface dn42-+ outerface intern-+ {
|
|
proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind intern-+ Interfaces
|
|
proto tcp dport (ssh) ACCEPT;
|
|
mod state state (ESTABLISHED) ACCEPT;
|
|
}
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
}
|