From 885660c4e40890185f008a990bb1ea59e69fdd45 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Tue, 28 Nov 2023 20:48:21 +0100
Subject: [PATCH] fix unbound for local traffic

---
 hosts/fw.cloonar.com/modules/firewall.nix | 2 +-
 hosts/fw.cloonar.com/modules/unbound.nix  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 8a10c1c..26aa5a1 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -20,7 +20,7 @@
             type filter hook input priority filter; policy drop;
 
             # accept any localhost traffic
-            iif lo accept
+            iifname lo accept
 
             # Allow trusted networks to access the router
             iifname {
diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix
index 199d01c..350c23b 100644
--- a/hosts/fw.cloonar.com/modules/unbound.nix
+++ b/hosts/fw.cloonar.com/modules/unbound.nix
@@ -3,7 +3,7 @@
     enable = true;
     settings = {
       server = {
-        interface = [ "10.42.96.1" "10.42.97.1" "10.42.99.1" "10.42.254.1" ];
+        interface = [ "127.0.0.1" "10.42.96.1" "10.42.97.1" "10.42.99.1" "10.42.254.1" ];
         # tls-cert-bundle = "/var/lib/acme/fw.cloonar.com/fullchain.pem";
       };
       # local-zone = "cloonar.com transparent";