magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-24 17:16:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Accept wireguard on the WAN interface

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2023-07-09 23:44:15 +02:00
parent 365fd41adc
commit de00d86dc4
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
nixos/systems/blowhole/firewall.nix
View file

@ -142,6 +142,9 @@ in
tcp dport 22 accept comment "Accept SSH traffic always"
iifname != "lo" tcp dport 5353 drop comment "Drop traffic to dnscrypt-proxy always except for localhost to localhost traffic"
# Accept WireGuard
iifname "${wan}" udp dport 6666 accept;
iifname { "nomad", "ve-monitor", "ve-klipper" } oifname { "nomad", "ve-monitor", "ve-klipper" } accept comment "Allow Nomad to do whatever it wants in its interface"
iifname { "${wlan}", "${lan}", "lo" } accept comment "Allow local network to access the router"
iifname { "${wan}", "${doVPN}", "nomad", "docker0", "ve-monitor", "ve-klipper" } jump input_out