Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add firewall rule

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-12-06 14:33:34 +01:00
parent 8ba21ec498
commit 3958b1891c
2 changed files with 12 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
hosts/fw.cloonar.com/modules/firewall.nix
View File

@@ -161,6 +161,18 @@
iifname "wg_cloonar" ct state { established, related } counter accept iifname "wg_cloonar" ct state { established, related } counter accept
iifname "wg_cloonar" drop iifname "wg_cloonar" drop
# Allow returning traffic from wrwks and drop everthing else
iifname "wrwks" ct state { established, related } counter accept
iifname "wrwks" drop
# Allow returning traffic from wg_epicenter and drop everthing else
iifname "wg_epicenter" ct state { established, related } counter accept
iifname "wg_epicenter" drop
# Allow returning traffic from wg_ghetto_at and drop everthing else
iifname "wg_ghetto_at" ct state { established, related } counter accept
iifname "wg_ghetto_at" drop
iifname "wan" ct state { established, related } accept comment "Allow established traffic" iifname "wan" ct state { established, related } accept comment "Allow established traffic"
iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"

34
hosts/fw.cloonar.com/modules/omada.nix
View File

@@ -25,38 +25,4 @@
}; };
}; };
}; };
# security.acme.certs."${domain}" = {
# domain = "${domain}";
# };
# containers.omada = {
# autoStart = true;
# ephemeral = true;
# macvlans = [ "vserver" ];
# bindMounts = {
# "/var/lib/gitea" = {
# hostPath = "/var/lib/gitea/";
# isReadOnly = false;
# };
# };
# bindMounts = {
# "/var/lib/acme/gitea/" = {
# hostPath = "${config.security.acme.certs.${domain}.directory}";
# isReadOnly = true;
# };
# };
# config = { lib, config, pkgs, ... }: {
# networking = {
# hostName = "gitea";
# interfaces.mv-vserver = {
# useDHCP = true;
# };
# firewall = {
# enable = true;
# allowedTCPPorts = [ 22 80 443 ];
# };
# };
# };
# };
} }