aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server
diff options
context:
space:
mode:
authorEmil Renner Berthing <esmil@labitat.dk>2017-11-17 17:18:28 +0100
committerEmil Renner Berthing <esmil@labitat.dk>2017-11-17 17:21:50 +0100
commit5517f9fcf84ad5043ae7e45da2b592c56a3e8e94 (patch)
tree465dea4279ee9373a82085797c41c1249af14b79 /roles/space_server
parent2f5459008c5e5aecedd64395d0f7a20f6a231112 (diff)
downloadlabitat-ansible-5517f9fcf84ad5043ae7e45da2b592c56a3e8e94.tar.gz
labitat-ansible-5517f9fcf84ad5043ae7e45da2b592c56a3e8e94.tar.xz
labitat-ansible-5517f9fcf84ad5043ae7e45da2b592c56a3e8e94.zip
space_server: nftables: cleanup
Allow hop-by-hop ipv6-icmp only on local interfaces.
Diffstat (limited to 'roles/space_server')
-rw-r--r--roles/space_server/files/nftables/nftables.conf9
1 files changed, 5 insertions, 4 deletions
diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf
index f038d60..5583749 100644
--- a/roles/space_server/files/nftables/nftables.conf
+++ b/roles/space_server/files/nftables/nftables.conf
@@ -134,10 +134,11 @@ table ip6 filter {
ct state invalid drop
# no ping floods
- ip6 nexthdr { hopopt, ipv6-icmp } limit rate 100/second accept
- ip6 nexthdr { hopopt, ipv6-icmp } drop
+ ip6 nexthdr ipv6-icmp limit rate 100/second accept
+ ip6 nexthdr ipv6-icmp drop
iif lo accept
+ iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept
# bird etc. on fiberby link
iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
@@ -146,8 +147,8 @@ table ip6 filter {
tcp dport 22 accept
# dns
- ip6 saddr $ext_net6 tcp dport 53 accept
- ip6 saddr $ext_net6 udp dport 53 accept
+ tcp dport 53 ip6 saddr $ext_net6 accept
+ udp dport 53 ip6 saddr $ext_net6 accept
# avahi
ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept