jalr/weinturm-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add forwarding firewall rules

Browse source
This commit is contained in:
Jakob Lechner 2025-07-28 20:01:39 +02:00
parent 6ddac5f1e2
commit 7b61b01baa
1 changed files with 12 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

15
hosts/pbx/networking.nix
View file

@ -11,9 +11,18 @@
# Fix Intel NIC e1000e hardware unit hang
localCommands = lib.mkBefore "${pkgs.ethtool}/bin/ethtool -K enp0s25 tso off gso off";
firewall.interfaces = {
weinturm.allowedUDPPorts = [53 67];
public-event.allowedUDPPorts = [53 67];
firewall = {
interfaces = {
weinturm.allowedUDPPorts = [53 67];
public-event.allowedUDPPorts = [53 67];
};
filterForward = true;
extraForwardRules = ''
oifname { "jugendtreff", "public-ip4" } meta l4proto tcp tcp dport 25 drop comment "Block outgoing SMTP (TCP/25)"
oifname { "jugendtreff", "public-ip4" } meta l4proto tcp tcp dport { 135, 137, 138, 139, 445 } drop comment "Block MS RPC/NetBIOS/SMB (TCP)"
oifname { "jugendtreff", "public-ip4" } meta l4proto udp udp dport { 135, 137, 138, 139, 445 } drop comment "Block MS RPC/NetBIOS/SMB (UDP)"
oifname { "jugendtreff", "public-ip4" } meta l4proto udp udp dport 1900 drop comment "Block SSDP (UPnP, UDP/1900)"
'';
};
vlans = {