peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

refactor(firewall.nix): remove redundant docker network rules

Browse Source
This commit is contained in:
Giulio De Pasquale 2024-12-10 12:01:45 +00:00
parent cca80288ed
commit 914a26a0ba
1 changed files with 0 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/architect/firewall.nix
View File

@ -54,7 +54,6 @@ in
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${lan.interface} ip saddr ${docker.net} masquerade
oifname ${lan.interface} ip saddr ${tailscale.net} masquerade oifname ${lan.interface} ip saddr ${tailscale.net} masquerade
} }
} }
@ -67,7 +66,6 @@ in
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}" iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}"
iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}" iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}"
iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}"
iifname ${tailscale.interface} ip saddr ${tailscale.net} accept iifname ${tailscale.interface} ip saddr ${tailscale.net} accept
iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
@ -123,7 +121,6 @@ in
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan.net} accept comment "lan > local" ip saddr ${lan.net} accept comment "lan > local"
iifname ${docker.interface} accept
ip saddr ${tailscale.net} accept comment "tailscale > local" ip saddr ${tailscale.net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
@ -136,7 +133,6 @@ in
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
ct state established,related accept ct state established,related accept
oifname ${lan.interface} ip saddr ${docker.net} accept
oifname ${lan.interface} ip saddr ${tailscale.net} accept oifname ${lan.interface} ip saddr ${tailscale.net} accept
jump filter_drop jump filter_drop