From 6cfaa64fd2eb042d3c249167b69cc15416b4a7d7 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 6 Dec 2023 15:20:48 +0100
Subject: [PATCH] remove wan from firewall, combine rule

---
 hosts/fw.cloonar.com/modules/firewall.nix | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index d99ba35..770ad96 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -125,7 +125,6 @@
 
             # Allow trusted networks to access the router
             iifname {
-              "wan", # disable when final
               "server",
               "vserver",
               "lan",
@@ -189,7 +188,7 @@
 
             # lan and vpn to any
             # TODO: disable wan when finished
-            iifname { "wan", "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept
+            iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept
             iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept
             iifname { "infrastructure" } oifname { "server", "vserver" } counter accept
 
@@ -219,10 +218,7 @@
           # Setup NAT masquerading on external interfaces
           chain postrouting {
             type nat hook postrouting priority filter; policy accept;
-            oifname { "wan" } masquerade
-            oifname { "wrwks" } masquerade
-            oifname { "wg_epicenter" } masquerade
-            oifname { "wg_ghetto_at" } masquerade
+            oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
           }
         }
       '';