From 47cdc1d85400aaf5d2191efd8515f81631ae241f Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 6 Dec 2023 20:10:32 +0100
Subject: [PATCH] allow traffic to dns from everywhere

---
 .gitea/workflows/default.yaml             |  0
 hosts/fw.cloonar.com/modules/firewall.nix | 13 ++-----------
 2 files changed, 2 insertions(+), 11 deletions(-)
 create mode 100644 .gitea/workflows/default.yaml

diff --git a/.gitea/workflows/default.yaml b/.gitea/workflows/default.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 0a23184..6079c2b 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -140,17 +140,7 @@
               "wg_cloonar",
               "smart",
               "multimedia"
-            } udp dport { 53, 67, 68 } counter accept
-            iifname {
-              "lan",
-              "server",
-              "vserver",
-              "vb-*",
-              "infrastructure",
-              "wg_cloonar",
-              "smart",
-              "multimedia"
-            } tcp dport { 80, 443, 853 } counter accept
+            } udp dport { 67, 68 } counter accept
 
             # Accept mDNS for avahi reflection
             # iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
@@ -192,6 +182,7 @@
 
             # lan and vpn to any
             # TODO: disable wan when finished
+            oifname { "server" } ip daddr 10.42.97.10 udp dport { 53 } accept
             iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept
             iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept
             iifname { "infrastructure" } oifname { "server", "vserver" } counter accept