enable = true;
preCheckRuleset = ''
sed -i ruleset.conf \
- -e 's/ip daddr losurdo.wg//'
+ -e 's/ip daddr losurdo.sp//'
'';
ruleset = ''
table inet filter {
- chain input-intra {
- tcp dport { ssh, 2222 } counter accept comment "SSH"
- udp dport 60001-60010 counter accept comment "Mosh"
- #tcp dport 4713 counter accept comment "pulseaudio"
- tcp dport 5201 counter accept comment "iperf"
- }
chain input-net {
}
chain output-lan {
+ tcp dport { http, https } counter accept comment "HTTP(s)"
tcp dport { ssh, 2222 } counter accept comment "SSH"
udp dport 60001-60100 counter accept comment "Mosh"
tcp dport bootps counter accept comment "DHCP"
tcp dport { 4444, 5555 } counter accept
tcp dport 5201 counter accept comment "iperf"
}
- chain output-intra {
- tcp dport { ssh, 2222 } counter accept comment "SSH"
- udp dport 60001-60100 counter accept comment "Mosh"
- tcp dport { http, https } counter accept comment "HTTP"
- tcp dport git counter accept comment "Git"
- tcp dport 5201 counter accept comment "iperf"
- ip daddr losurdo.wg tcp dport 9091 counter accept comment "transmission"
- }
chain output-net {
- tcp dport { ssh, 2222 } counter accept comment "SSH"
+ tcp dport { ssh, 2222, 20022 } counter accept comment "SSH"
udp dport 60001-60100 counter accept comment "Mosh"
udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
- meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
tcp dport { http, https } counter accept comment "HTTP"
tcp dport git counter accept comment "Git"
tcp dport imaps counter accept comment "IMAPS"
tcp dport submissions counter accept comment "SMTPS"
- tcp dport { xmpp-client, 5281 } counter accept comment "XMPP"
+ tcp dport xmpp-client counter accept comment "XMPP client"
+ tcp dport 5223 counter accept comment "XMPP client direct TLS"
+ tcp dport 5281 counter accept comment "XMPP HTTPS"
tcp dport nntps counter accept comment "NNTPS"
tcp dport 5201 counter accept comment "iperf"
+ tcp dport 8776 counter accept comment "radicle-node"
}
}
'';