nodes/home.nas: add firewalling for yate sip server
All checks were successful
bundlewrap/pipeline/head This commit looks good
All checks were successful
bundlewrap/pipeline/head This commit looks good
This commit is contained in:
parent
f98720b57b
commit
83db4ba886
GPG key ID:
12E3D2136B818350
1 changed files with 27 additions and 3 deletions
|
|
@ -52,10 +52,34 @@ nodes['home.nas'] = {
|
||||||
'custom_rules': [
|
'custom_rules': [
|
||||||
# Dell ULNM
|
# Dell ULNM
|
||||||
'iptables -A INPUT -p tcp --dport 4679 -j ACCEPT',
|
'iptables -A INPUT -p tcp --dport 4679 -j ACCEPT',
|
||||||
# mosquitto
|
|
||||||
'iptables_both -A INPUT -p tcp --dport 1883 -j ACCEPT',
|
|
||||||
'iptables_both -A INPUT -p tcp --dport 8083 -j ACCEPT',
|
|
||||||
],
|
],
|
||||||
|
'port_rules': {
|
||||||
|
'1883': { # mosquitto
|
||||||
|
'172.19.136.0/25', # wireguard clients, because remote access
|
||||||
|
'172.19.138.0/24',
|
||||||
|
},
|
||||||
|
'5060': { # yate SIP
|
||||||
|
'home.snom-wohnzimmer',
|
||||||
|
'home.bubble01',
|
||||||
|
},
|
||||||
|
'5061': { # yate SIPS
|
||||||
|
'home.snom-wohnzimmer',
|
||||||
|
'home.bubble01',
|
||||||
|
},
|
||||||
|
'8083': { # mosquitto Websocket
|
||||||
|
'172.19.138.0/24',
|
||||||
|
},
|
||||||
|
# yate RTP uses some random UDP port. We cannot firewall
|
||||||
|
# it, because for incoming calls the other side decides
|
||||||
|
# which port to use. That's why we simply allow all UDP
|
||||||
|
# traffic from our SIP clients. It's fine to do so, because
|
||||||
|
# all sip clients are known to bundlewrap, so we won't have
|
||||||
|
# to deal with randomly changing IPs here.
|
||||||
|
'*/udp': {
|
||||||
|
'home.snom-wohnzimmer',
|
||||||
|
'home.bubble01',
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
'nfs-server': {
|
'nfs-server': {
|
||||||
'shares': {
|
'shares': {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue