aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/files/nftables/nftables.conf
diff options
context:
space:
mode:
Diffstat (limited to 'roles/space_server/files/nftables/nftables.conf')
-rw-r--r--roles/space_server/files/nftables/nftables.conf9
1 files changed, 5 insertions, 4 deletions
diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf
index 30233b0..f038d60 100644
--- a/roles/space_server/files/nftables/nftables.conf
+++ b/roles/space_server/files/nftables/nftables.conf
@@ -102,15 +102,15 @@ table ip filter {
ct state established,related accept
ct state invalid drop
+ # accept all traffic to spacewand
+ ip daddr $spacewand4 accept
+
ip saddr $labitat udp dport 161 counter accept # traffic stats
# no traffic to admin net
ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited
ip daddr $adm_net4 drop
- # accept all traffic to spacewand
- ip daddr $spacewand4 accept
-
# local traffic
iif $adm_if ip saddr $adm_net4 accept
iif $wire_if ip saddr $wire_net4 accept
@@ -163,11 +163,12 @@ table ip6 filter {
ct state established,related accept
ct state invalid drop
+ # accept all traffic to spacewand
ip6 daddr $spacewand6 accept
iif $wire_if ip6 saddr $wire_net6 accept
iif $priv_if ip6 saddr $priv_net6 accept
- #iif $free_if ip6 saddr $free_net6 ip6 daddr != $int_net6 accept
+ iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
iif $pass_if ip6 saddr $pass_net6 accept
iif $serv_if ip6 saddr $serv_net6 accept
generated by cgit v1.2.1 (git 2.18.0) at 2024-07-03 22:14:28 +0000