From 67e1a6ef2f15436ebaf689ea0d95a57042d75379 Mon Sep 17 00:00:00 2001
From: Yuri Tatishchev <itatishch@gmail.com>
Date: Wed, 21 May 2025 00:15:28 -0700
Subject: [PATCH] router: firewall: add entries for wireguard

---
 hosts/router/firewall.nix | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/hosts/router/firewall.nix b/hosts/router/firewall.nix
index 430c34b..d985da0 100644
--- a/hosts/router/firewall.nix
+++ b/hosts/router/firewall.nix
@@ -85,8 +85,10 @@ in
     family = "inet";
     content = ''
       ${nftIdentifiers}
-      define ALLOWED_TCP_PORTS = { ssh, https }
-      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https }
+      define ALLOWED_TCP_WAN_PORTS = { ssh }
+      define ALLOWED_UDP_WAN_PORTS = { 18596 }
+      define ALLOWED_TCP_LAN_PORTS = { ssh, https }
+      define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https, 18596 }
       set port_forward_v6 {
           type inet_proto . ipv6_addr . inet_service
           elements = {
@@ -157,8 +159,9 @@ in
       }
 
       chain zone_wan_input {
-          # Allow SSH from WAN (if needed)
-          tcp dport ssh accept
+          # Allow specific services from WAN
+          tcp dport $ALLOWED_TCP_WAN_PORTS accept
+          udp dport $ALLOWED_UDP_WAN_PORTS accept
       }
 
       chain zone_wan_forward {
@@ -180,8 +183,8 @@ in
           ip protocol icmp accept
 
           # Allow specific services from LAN
-          tcp dport $ALLOWED_TCP_PORTS accept
-          udp dport $ALLOWED_UDP_PORTS accept
+          tcp dport $ALLOWED_TCP_LAN_PORTS accept
+          udp dport $ALLOWED_UDP_LAN_PORTS accept
       }
 
       chain zone_lan_forward {