many changes to fw, small fixes to nb

2023-11-27 00:29:16 +01:00
parent ef97530433
commit 8be0cce54a
20 changed files with 669 additions and 83 deletions
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -9,7 +9,7 @@
          # enable flow offloading for better throughput
          flowtable f {
            hook ingress priority 0;
-            devices = { lan, server, wg0, smart, multimedia, guest };
+            devices = { lan, server, wg_cloonar, smart, multimedia, guest };
          }

          chain output {
@@ -22,16 +22,16 @@
            # Allow trusted networks to access the router
            iifname {
              "lan",
-              "wg0"
+              "wg_cloonar"
            } counter accept

            # Accept mDNS for avahi reflection
            iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
            iifname "multimedia" ip saddr <chromecast IP> udp dport { mdns, llmnr } counter accept

-            # Allow returning traffic from wg0 and drop everthing else
-            iifname "wg0" ct state { established, related } counter accept
-            iifname "wg0" drop
+            # Allow returning traffic from wg_cloonar and drop everthing else
+            iifname "wg_cloonar" ct state { established, related } counter accept
+            iifname "wg_cloonar" drop
          }

          chain forward {
@@ -44,7 +44,7 @@
            iifname "multimedia" oifname { "lan" } counter accept

            # lan and vpn to any
-            iifname { "lan", "wg0" } oifname { "server", "multimedia", "smart", "wrwks" } counter accept
+            iifname { "lan", "wg_cloonar" } oifname { "server", "multimedia", "smart", "wrwks", "wg_epicenter_works", "wg_ghetto_at" } counter accept

            # Allow trusted network WAN access
            iifname {
@@ -52,7 +52,7 @@
              "server",
              "multimedia",
              "smart",
-              "wg0",
+              "wg_cloonar",
            } oifname {
              "wan",
            } counter accept comment "Allow trusted LAN to WAN"
@@ -65,7 +65,7 @@
              "server",
              "multimedia",
              "smart",
-              "wg0",
+              "wg_cloonar",
            } ct state established,related counter accept comment "Allow established back to LANs"
          }
        }
@@ -78,7 +78,7 @@
          # Setup NAT masquerading on the ppp0 interface
          chain postrouting {
            type nat hook postrouting priority filter; policy accept;
-            oifname { "wan", "wrwks" } masquerade
+            oifname { "wan", "wrwks", "wg_epicenter_works", "wg_ghetto_at" } masquerade
          }
        }
      '';