From 5517f9fcf84ad5043ae7e45da2b592c56a3e8e94 Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Fri, 17 Nov 2017 17:18:28 +0100
Subject: space_server: nftables: cleanup

Allow hop-by-hop ipv6-icmp only on local interfaces.
---
 roles/space_server/files/nftables/nftables.conf | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'roles/space_server/files')

diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf
index f038d60..5583749 100644
--- a/roles/space_server/files/nftables/nftables.conf
+++ b/roles/space_server/files/nftables/nftables.conf
@@ -134,10 +134,11 @@ table ip6 filter {
 		ct state invalid drop
 
 		# no ping floods
-		ip6 nexthdr { hopopt, ipv6-icmp } limit rate 100/second accept
-		ip6 nexthdr { hopopt, ipv6-icmp } drop
+		ip6 nexthdr ipv6-icmp limit rate 100/second accept
+		ip6 nexthdr ipv6-icmp drop
 
 		iif lo accept
+		iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept
 
 		# bird etc. on fiberby link
 		iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
@@ -146,8 +147,8 @@ table ip6 filter {
 		tcp dport 22 accept
 
 		# dns
-		ip6 saddr $ext_net6 tcp dport 53 accept
-		ip6 saddr $ext_net6 udp dport 53 accept
+		tcp dport 53 ip6 saddr $ext_net6 accept
+		udp dport 53 ip6 saddr $ext_net6 accept
 
 		# avahi
 		ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept
-- 
cgit v1.2.1