fix firewall

2023-12-03 22:00:07 +01:00
parent 5da0671fc0
commit d764cbde57
2 changed files with 8 additions and 8 deletions
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -70,7 +70,7 @@
            # Allow networks to access the dns and dhcp
            iifname {
              "lan",
-              "vb-gitea",
+              "ve-gitea",
              "podman0",
              "infrastructure",
              "wg_cloonar",
@@ -80,7 +80,7 @@
            iifname {
              "lan",
              "podman0",
-              "vb-gitea",
+              "ve-gitea",
              "infrastructure",
              "wg_cloonar",
              "smart",
@@ -111,14 +111,14 @@

            # lan and vpn to any
            # TODO: disable wan when finished
-            iifname { "wan", "lan", "vb-gitea", "podman0", "wg_cloonar" } oifname { "lan", "vb-gitea", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
-            iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept
+            iifname { "wan", "lan", "ve-gitea", "podman0", "wg_cloonar" } oifname { "lan", "ve-gitea", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
+            iifname { "infrastructure" } oifname { "podman0", "ve-omada" } counter accept

            # Allow trusted network WAN access
            iifname {
              "lan",
              "infrastructure",
-              "vb-gitea",
+              "ve-gitea",
              "podman0",
              "multimedia",
              "smart",
@@ -134,11 +134,10 @@
            type nat hook prerouting priority filter; policy accept;
          }

-          # Setup NAT masquerading on the ppp0 interface
+          # Setup NAT masquerading on external interfaces
          chain postrouting {
            type nat hook postrouting priority filter; policy accept;
            oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
-            # oifname { "wan" } masquerade
          }
        }
      '';
--- a/hosts/fw.cloonar.com/modules/gitea.nix
+++ b/hosts/fw.cloonar.com/modules/gitea.nix
@@ -103,7 +103,8 @@ in
    # macvlans = [ "vserver" ];
    privateNetwork = true;
    hostBridge = "server";
-    localAddress = "10.42.97.2/24";
+    hostAddress = "10.42.97.1"
+    localAddress = "10.42.97.2";
    bindMounts = {
      "/var/lib/gitea" = {
        hostPath = "/var/lib/gitea/";