mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: allow IGMP traffic and all ICMP traffic

Browse source
This commit is contained in:
oddlama 2025-01-26 17:59:58 +01:00
parent c39a285bc9
commit 342c4787ab
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
2 changed files with 15 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

35
config/nftables.nix
View file

@ -15,6 +15,7 @@
iifname lo accept iifname lo accept
meta l4proto ipv6-icmp accept meta l4proto ipv6-icmp accept
meta l4proto icmp accept meta l4proto icmp accept
ip protocol igmp accept
tcp dport ${toString (lib.head config.services.openssh.ports)} accept tcp dport ${toString (lib.head config.services.openssh.ports)} accept
} }
chain forward { chain forward {
@ -35,26 +36,6 @@
nnf-drop.enable = true; nnf-drop.enable = true;
nnf-loopback.enable = true; nnf-loopback.enable = true;
nnf-ssh.enable = true; nnf-ssh.enable = true;
nnf-icmp = {
enable = true;
ipv6Types = [
"echo-request"
"destination-unreachable"
"packet-too-big"
"time-exceeded"
"parameter-problem"
"nd-router-advert"
"nd-neighbor-solicit"
"nd-neighbor-advert"
];
ipv4Types = [
"echo-request"
"destination-unreachable"
"router-advertisement"
"time-exceeded"
"parameter-problem"
];
};
}; };
rules.untrusted-to-local = { rules.untrusted-to-local = {
@ -68,6 +49,20 @@
allowedUDPPortRanges allowedUDPPortRanges
; ;
}; };
rules.icmp-and-igmp = {
after = [
"ct"
"ssh"
];
from = "all";
to = [ "local" ];
extraLines = [
"meta l4proto ipv6-icmp accept"
"meta l4proto icmp accept"
"ip protocol igmp accept"
];
};
}; };
}; };
} }

5
hosts/ward/net.nix
View file

@ -165,11 +165,6 @@
); );
networking.nftables.firewall = { networking.nftables.firewall = {
snippets.nnf-icmp.ipv6Types = [
"mld-listener-query"
"nd-router-solicit"
];
zones = zones =
{ {
untrusted.interfaces = [ "wan" ]; untrusted.interfaces = [ "wan" ];