forked from DGNum/liminix
firewall: enable incoming ssh and dhcp6
This commit is contained in:
parent
25eecabc6d
commit
a9848b9668
1 changed files with 12 additions and 2 deletions
|
@ -3,6 +3,7 @@ let
|
||||||
accept = expr : "${expr} accept";
|
accept = expr : "${expr} accept";
|
||||||
mcast-scope = 8;
|
mcast-scope = 8;
|
||||||
allow-incoming = false;
|
allow-incoming = false;
|
||||||
|
in {
|
||||||
bogons-ip6 = {
|
bogons-ip6 = {
|
||||||
type = "filter";
|
type = "filter";
|
||||||
family = "ip6";
|
family = "ip6";
|
||||||
|
@ -96,6 +97,15 @@ let
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" ")
|
(accept "iifname \"int\" oifname \"ppp0\" ")
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
input-lan = {
|
||||||
|
type = "filter";
|
||||||
|
family = "ip6";
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
(accept "udp dport 547") # dhcp, could restrict to daddr ff02::1:2
|
||||||
|
(accept "tcp dport 22")
|
||||||
|
];
|
||||||
|
};
|
||||||
input-ip6 = {
|
input-ip6 = {
|
||||||
type = "filter";
|
type = "filter";
|
||||||
family = "ip6";
|
family = "ip6";
|
||||||
|
@ -103,10 +113,12 @@ let
|
||||||
hook = "input";
|
hook = "input";
|
||||||
rules = [
|
rules = [
|
||||||
(accept "meta l4proto icmpv6")
|
(accept "meta l4proto icmpv6")
|
||||||
|
"iifname int jump input-lan"
|
||||||
(if allow-incoming
|
(if allow-incoming
|
||||||
then accept "oifname \"int\" iifname \"ppp0\""
|
then accept "oifname \"int\" iifname \"ppp0\""
|
||||||
else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
|
else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
|
||||||
)
|
)
|
||||||
|
# how does this even make sense in an input chain?
|
||||||
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" ")
|
(accept "iifname \"int\" oifname \"ppp0\" ")
|
||||||
];
|
];
|
||||||
|
@ -120,6 +132,4 @@ let
|
||||||
# "oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
|
# "oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
in {
|
|
||||||
inherit input-ip6 forward-ip6 bogons-ip6 incoming-allowed-ip6;
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue