From d8e929181fd52f426096813ea9eba8cc0874dfbb Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 13 Jul 2022 22:17:53 +0200 Subject: [PATCH] Apply firewall rules to all interfaces on router --- hosts/router/151-net-technik-iot.nix | 6 ++++++ hosts/router/201-net-ikt.nix | 5 +++++ hosts/router/202-net-technik.nix | 6 ++++++ hosts/router/203-net-hospital.nix | 4 ++++ hosts/router/204-net-zoll.nix | 4 ++++ hosts/router/205-net-leitstelle.nix | 4 ++++ hosts/router/206-net-verwaltung.nix | 4 ++++ hosts/router/208-net-yolo.nix | 4 ++++ hosts/router/209-net-infojurte.nix | 4 ++++ hosts/router/210-net-internation.nix | 4 ++++ hosts/router/211-net-programmtre.nix | 4 ++++ hosts/router/212-net-open-office.nix | 4 ++++ hosts/router/42-net-management.nix | 7 +++++++ hosts/router/configuration.nix | 2 ++ 14 files changed, 62 insertions(+) diff --git a/hosts/router/151-net-technik-iot.nix b/hosts/router/151-net-technik-iot.nix index 2f94885..230b5d3 100644 --- a/hosts/router/151-net-technik-iot.nix +++ b/hosts/router/151-net-technik-iot.nix @@ -34,4 +34,10 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-technik-iot.rules = [ + { incomingInterface = "net-ikt"; } + # Give technik access to their toys + { incomingInterface = "net-technik"; } + ]; } diff --git a/hosts/router/201-net-ikt.nix b/hosts/router/201-net-ikt.nix index 919861c..aa14d62 100644 --- a/hosts/router/201-net-ikt.nix +++ b/hosts/router/201-net-ikt.nix @@ -47,4 +47,9 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-ikt.rules = [ + # Allow infrastructure devices to access ikt user devices for downloading software etc + { incomingInterface = "net-management"; } + ]; } diff --git a/hosts/router/202-net-technik.nix b/hosts/router/202-net-technik.nix index 82f4b6f..d3d8dca 100644 --- a/hosts/router/202-net-technik.nix +++ b/hosts/router/202-net-technik.nix @@ -47,4 +47,10 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-technik.rules = [ + { incomingInterface = "net-ikt"; } + # Give the toys access to technik + { incomingInterface = "net-technik-iot"; } + ]; } diff --git a/hosts/router/203-net-hospital.nix b/hosts/router/203-net-hospital.nix index 4d5b46f..a56789c 100644 --- a/hosts/router/203-net-hospital.nix +++ b/hosts/router/203-net-hospital.nix @@ -47,4 +47,8 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-hospital.rules = [ + { incomingInterface = "net-ikt"; } + ]; } diff --git a/hosts/router/204-net-zoll.nix b/hosts/router/204-net-zoll.nix index 140aa72..37c051e 100644 --- a/hosts/router/204-net-zoll.nix +++ b/hosts/router/204-net-zoll.nix @@ -47,4 +47,8 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-zoll.rules = [ + { incomingInterface = "net-ikt"; } + ]; } diff --git a/hosts/router/205-net-leitstelle.nix b/hosts/router/205-net-leitstelle.nix index 315a042..9c1bce3 100644 --- a/hosts/router/205-net-leitstelle.nix +++ b/hosts/router/205-net-leitstelle.nix @@ -47,4 +47,8 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-leitstelle.rules = [ + { incomingInterface = "net-ikt"; } + ]; } diff --git a/hosts/router/206-net-verwaltung.nix b/hosts/router/206-net-verwaltung.nix index c5e0752..8f640de 100644 --- a/hosts/router/206-net-verwaltung.nix +++ b/hosts/router/206-net-verwaltung.nix @@ -47,4 +47,8 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-verwaltung.rules = [ + { incomingInterface = "net-ikt"; } + ]; } diff --git a/hosts/router/208-net-yolo.nix b/hosts/router/208-net-yolo.nix index 3b12f92..56b3661 100644 --- a/hosts/router/208-net-yolo.nix +++ b/hosts/router/208-net-yolo.nix @@ -47,4 +47,8 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-yolo.rules = [ + { incomingInterface = "net-ikt"; } + ]; } diff --git a/hosts/router/209-net-infojurte.nix b/hosts/router/209-net-infojurte.nix index 8af232e..cd68910 100644 --- a/hosts/router/209-net-infojurte.nix +++ b/hosts/router/209-net-infojurte.nix @@ -47,4 +47,8 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-infojurte.rules = [ + { incomingInterface = "net-ikt"; } + ]; } diff --git a/hosts/router/210-net-internation.nix b/hosts/router/210-net-internation.nix index 9bf1441..dcc15a3 100644 --- a/hosts/router/210-net-internation.nix +++ b/hosts/router/210-net-internation.nix @@ -47,4 +47,8 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-internation.rules = [ + { incomingInterface = "net-ikt"; } + ]; } diff --git a/hosts/router/211-net-programmtre.nix b/hosts/router/211-net-programmtre.nix index 9d5425e..2bd044c 100644 --- a/hosts/router/211-net-programmtre.nix +++ b/hosts/router/211-net-programmtre.nix @@ -47,4 +47,8 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-programmtre.rules = [ + { incomingInterface = "net-ikt"; } + ]; } diff --git a/hosts/router/212-net-open-office.nix b/hosts/router/212-net-open-office.nix index 8af57b1..a88bd99 100644 --- a/hosts/router/212-net-open-office.nix +++ b/hosts/router/212-net-open-office.nix @@ -47,4 +47,8 @@ ]; }; }; + + clerie.forward-filter.interfaces.net-open-office.rules = [ + { incomingInterface = "net-ikt"; } + ]; } diff --git a/hosts/router/42-net-management.nix b/hosts/router/42-net-management.nix index 8a32731..658a8dc 100644 --- a/hosts/router/42-net-management.nix +++ b/hosts/router/42-net-management.nix @@ -9,4 +9,11 @@ networking.interfaces.net-management.ipv4.addresses = [ { address = "10.42.42.1"; prefixLength = 24; } ]; + + clerie.forward-filter.interfaces.net-management.rules = [ + { incomingInterface = "net-ikt"; } + # Allow monitoring + { incomingInterface = "net-services"; sourceAddress = "10.42.10.7"; } + { incomingInterface = "net-services"; sourceAddress6 = "2a01:4f8:1c0c:8221::7"; } + ]; } diff --git a/hosts/router/configuration.nix b/hosts/router/configuration.nix index 5fe83e5..3c2de0e 100644 --- a/hosts/router/configuration.nix +++ b/hosts/router/configuration.nix @@ -73,6 +73,8 @@ }; }; + clerie.forward-filter.enable = true; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave