feat: add lms

2025-05-24 10:11:18 +02:00
parent 348d8e1d03
commit 8def0af08f
3 changed files with 120 additions and 2 deletions
--- a/hosts/fw/modules/firewall.nix
+++ b/hosts/fw/modules/firewall.nix
@@ -8,6 +8,18 @@
        "cloonar-fw" = {
          family = "inet";
          content = ''
+            chain snap-qos-raw {
+              type filter hook prerouting priority raw; policy accept;
+              tcp dport 1704 counter mark set 10 comment "Mark Snapcast traffic"
+              tcp dport 3483 counter mark set 10 comment "Mark Squezelite traffic"
+              udp dport 3483 counter mark set 10 comment "Mark Squezelite traffic"
+            }
+
+            chain snap-qos-mangle {
+              type filter hook postrouting priority mangle + 10; policy accept;
+              mark 10 counter ip dscp set cs3 comment "Tag Snapcast with CS3"
+            }
+
            chain output {
              type filter hook output priority 100; policy accept;
            }
@@ -22,6 +34,7 @@
              type filter hook input priority filter; policy drop;
              iifname "lo" accept comment "trusted interfaces"
              iifname "lan" counter accept comment "Spice"
+              iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
              ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow }
              tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info
            }
@@ -40,6 +53,8 @@
              # Accept mDNS for avahi reflection
              iifname "server" ip saddr ${config.networkPrefix}.97.20/32 tcp dport { llmnr } counter accept
              iifname "server" ip saddr ${config.networkPrefix}.97.20/32 udp dport { mdns, llmnr } counter accept
+              iifname "server" udp dport 5353   ip daddr 224.0.0.251  counter accept comment "Avahi mDNS"
+              iifname "lan" udp dport 5353   ip daddr 224.0.0.251  counter accept comment "Avahi mDNS"

              # Allow all returning traffic
              ct state { established, related } counter accept
@@ -80,10 +95,24 @@
              # multimedia airplay
              iifname "multimedia" oifname { "lan" } counter accept
              iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept
+              iifname "multimedia" oifname "server" tcp dport { 3483, 9000 } counter accept
+              iifname "multimedia" oifname "server" udp dport { 3483 } counter accept
+              iifname "multimedia" oifname "server" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
              iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept
              # avahi
              iifname "server" ip saddr ${config.networkPrefix}.97.20/32 oifname { "lan" } counter accept

+              # Allow Chromecast
+              iifname "lan"    oifname "server" udp dport 5353  ip daddr 224.0.0.251   counter accept comment "mDNS query LAN→Server"
+              iifname "server" oifname "lan"    udp sport 5353  ip saddr  224.0.0.251   counter accept comment "mDNS response Server→LAN"
+              iifname "lan"    oifname "server" tcp dport 9881  counter accept comment "chromecast"
+
+              # SSDP / UPnP discovery if needed
+              iifname { "lan", "server" } oifname { "server", "lan" } \
+                udp dport 1900  ip daddr 239.255.255.250   counter accept comment "SSDP query"
+              iifname { "lan", "server" } oifname { "server", "lan" } \
+                udp sport 1900  ip saddr  239.255.255.250   counter accept comment "SSDP response"
+
              # smart home coap
              iifname "smart" oifname "server" ip daddr ${config.networkPrefix}.97.20/32 udp dport { 5683 } counter accept
              iifname "smart" oifname "server" ip daddr ${config.networkPrefix}.97.20/32 tcp dport { 1883 } counter accept