CaZzzer/nix-conf
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

router: firewall: add entries for wireguard

Browse Source
This commit is contained in:
Yuri Tatishchev 2025-05-21 00:15:28 -07:00
parent 5e19bc16f5
commit 67e1a6ef2f
Signed by: CaZzzer
SSH Key Fingerprint: SHA256:sqXB3fe0LMpfH+IeM/vlmxKdso52kssrIJBlwKXVe1U
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
hosts/router/firewall.nix
View File

@ -85,8 +85,10 @@ in
family = "inet"; family = "inet";
content = '' content = ''
${nftIdentifiers} ${nftIdentifiers}
define ALLOWED_TCP_PORTS = { ssh, https } define ALLOWED_TCP_WAN_PORTS = { ssh }
define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https } define ALLOWED_UDP_WAN_PORTS = { 18596 }
define ALLOWED_TCP_LAN_PORTS = { ssh, https }
define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https, 18596 }
set port_forward_v6 { set port_forward_v6 {
type inet_proto . ipv6_addr . inet_service type inet_proto . ipv6_addr . inet_service
elements = { elements = {
@ -157,8 +159,9 @@ in
} }
chain zone_wan_input { chain zone_wan_input {
# Allow SSH from WAN (if needed) # Allow specific services from WAN
tcp dport ssh accept tcp dport $ALLOWED_TCP_WAN_PORTS accept
udp dport $ALLOWED_UDP_WAN_PORTS accept
} }
chain zone_wan_forward { chain zone_wan_forward {
@ -180,8 +183,8 @@ in
ip protocol icmp accept ip protocol icmp accept
# Allow specific services from LAN # Allow specific services from LAN
tcp dport $ALLOWED_TCP_PORTS accept tcp dport $ALLOWED_TCP_LAN_PORTS accept
udp dport $ALLOWED_UDP_PORTS accept udp dport $ALLOWED_UDP_LAN_PORTS accept
} }
chain zone_lan_forward { chain zone_lan_forward {