From c8ebc7eff52bd4958d3bc167beb54b0e31f846eb Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 6 Dec 2023 20:33:47 +0100
Subject: [PATCH] change firewall

---
 hosts/fw.cloonar.com/modules/firewall.nix | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 6079c2b..060b39e 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -131,7 +131,7 @@
               "wg_cloonar"
             } counter accept
 
-            # Allow networks to access the dns and dhcp
+            # Allow networks to access dhcp
             iifname {
               "lan",
               "server",
@@ -146,8 +146,6 @@
             # iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
             # iifname "multimedia" ip saddr <chromecast IP> udp dport { mdns, llmnr } counter accept
 
-            # Accept web to git server
-            iifname "wan" oifname "server" ip daddr 10.42.97.50 tcp dport { 22, 80, 443 } counter accept 
 
             # Allow returning traffic from wg_cloonar and drop everthing else
             iifname "wg_cloonar" ct state { established, related } counter accept
@@ -180,6 +178,12 @@
             # multimedia airplay
             iifname "multimedia" oifname { "lan" } counter accept
 
+            # Forward to git server
+            oifname "server" ip daddr 10.42.97.50 tcp dport { 22, 80, 443 } counter accept 
+
+            # Forward to dns server
+            oifname "server" ip daddr 10.42.97.10 udp dport { 53 } accept 
+
             # lan and vpn to any
             # TODO: disable wan when finished
             oifname { "server" } ip daddr 10.42.97.10 udp dport { 53 } accept