rework firewall setup

2023-09-24 20:59:58 +02:00 · 2023-09-24 20:59:58 +02:00 · cd48cf495d
commit cd48cf495d
parent be62c1270f
30 changed files with 145 additions and 122 deletions
--- a/nodes/home/nas.py
+++ b/nodes/home/nas.py
@ -67,15 +67,15 @@ nodes['home.nas'] = {
        },
        'firewall': {
            'port_rules': {
-                '4679': { # Dell ULNM
+                '4679/tcp': { # Dell ULNM
                    '172.19.136.0/25',
                    '172.19.138.0/24',
                },
-                '5060': { # yate SIP
+                '5060/tcp': { # yate SIP
                    'home.snom-wohnzimmer',
                    'home.mitel-rfp35',
                },
-                '5061': { # yate SIPS
+                '5061/tcp': { # yate SIPS
                    'home.snom-wohnzimmer',
                    'home.mitel-rfp35',
                },
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@ -77,15 +77,16 @@ nodes['home.router'] = {
            #'vars.notification.sms': True
        },
        'nftables': {
-            'rules': {
+            'forward': {
                '50-router': [
-                    # This is a router. Allow forwarding traffic for internal networks.
-                    'inet filter forward ct state { related, established } accept',
-
-                    # yaaaaay, IPv6! No NAT!
-                    'inet filter forward ip6 nexthdr ipv6-icmp accept',
-                    'inet filter forward tcp dport 22 accept',
-                    'nat prerouting tcp dport 2022 dnat 172.19.138.20:22',
+                    'ct state { related, established } accept',
+                    'ip6 nexthdr ipv6-icmp accept',
+                    'tcp dport 22 accept',
+                ],
+            },
+            'prerouting': {
+                '50-router': [
+                    'tcp dport 2022 dnat 172.19.138.20:22',
                ],
            },
        },
--- a/nodes/htz-cloud/miniserver.py
+++ b/nodes/htz-cloud/miniserver.py
@ -164,10 +164,10 @@ nodes['htz-cloud.miniserver'] = {
                '2a01:4f8:0:1::add:9898',
        },
        'nftables': {
-            'rules': {
+            'input': {
                '50-sophie-weechat': [
-                    'inet filter input udp dport { 60000-61000 } accept',
-                    'inet filter input tcp dport 9001 accept',
+                    'udp dport { 60000-61000 } accept',
+                    'tcp dport 9001 accept',
                ],
            },
        },
--- a/nodes/htz-cloud/wireguard.py
+++ b/nodes/htz-cloud/wireguard.py
@ -38,14 +38,18 @@ nodes['htz-cloud.wireguard'] = {
            },
        },
        'nftables': {
-            'rules': {
+            'input': {
                '50-router': [
-                    'inet filter forward ct state { related, established } accept',
-                    'inet filter forward oif eth0 accept',
-                    'nat postrouting oif eth0 masquerade',
+                    'ct state { related, established } accept',
+                    'oifname eth0 accept',
                ],
-                'wg_special': [
-                    'inet filter input udp dport 51819 accept',
+                '50-wireguard': [
+                    'udp dport 51819 accept',
+                ],
+            },
+            'postrouting': {
+                '50-router': [
+                    'oifname eth0 masquerade',
                ],
            },
        },
--- a/nodes/htz-hel/backup-sophie.py
+++ b/nodes/htz-hel/backup-sophie.py
@ -41,10 +41,10 @@ nodes['htz-hel.backup-sophie'] = {
            'zfs-base': 'tank/backups',
        },
        'nftables': {
-            'rules': {
+            'input': {
                '50-sophie-misc': [
-                    'inet filter input udp dport { 60000-61000 } accept',
-                    'inet filter input tcp dport 5201 accept',
+                    'udp dport { 60000-61000 } accept',
+                    'tcp dport 5201 accept',
                ],
            },
        },
--- a/nodes/kunsi-p14s.py
+++ b/nodes/kunsi-p14s.py
@ -34,7 +34,7 @@ nodes['kunsi-p14s'] = {
                #    '192.168.0.0/16',
                #},
                # For the occasional file-share using `python -m http.server`
-                '8000': {'*'},
+                '8000/tcp': {'*'},
            },
        },
        'interfaces': {
@ -68,7 +68,6 @@ nodes['kunsi-p14s'] = {
        'openssh': {
            'restrict-to': {
                'rfc1918',
-                'ipv6',
            },
        },
        'openvpn-client': {
--- a/nodes/kunsi-t470.py
+++ b/nodes/kunsi-t470.py
@ -36,13 +36,13 @@ nodes['kunsi-t470'] = {
        'firewall': {
            'port_rules': {
                # obs websocket thingie - just allow all RFC1918 ips here
-                '4444': {
+                '4444/tcp': {
                    '10.0.0.0/8',
                    '172.16.0.0/12',
                    '192.168.0.0/16',
                },
                # For the occasional file-share using `python -m http.server`
-                '8000': {'*'},
+                '8000/tcp': {'*'},
            },
        },
        'locale': {
@ -73,7 +73,6 @@ nodes['kunsi-t470'] = {
                '10.0.0.0/8',
                '172.16.0.0/12',
                '192.168.0.0/16',
-                'ipv6',
            },
        },
        'pacman': {