accept ping

2021-12-08 18:09:13 +01:00 · 2021-12-08 18:09:13 +01:00 · ee9eedbf70
commit ee9eedbf70
parent 62326b6c99
1 changed files with 6 additions and 2 deletions
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@ -120,11 +120,15 @@ in {
                    ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
                    ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
                    ip saddr ${lan-net} accept comment "lan > local"
-        	    ip saddr ${proxy-wg} accept comment "proxy > local"
+        	          ip saddr ${proxy-wg} accept comment "proxy > local"
+                    ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"

                    iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
                    iifname ${wan-if} udp dport {${open_udp_ports}} accept
-                    iifname ${vpn-if} accept comment "vpn > local"
+                    iifname ${vpn-if} tcp dport {${open_tcp_ports}} accept
+                    iifname ${vpn-if} udp dport {${open_udp_ports}} accept
+                    iifname ${vpn-if} udp dport 53 accept
+                    iifname ${vpn-if} icmp type echo-request accept

                    jump filter_drop
                  }