Apply firewall rules to all interfaces on router

2022-07-13 22:17:53 +02:00 · 2022-07-13 22:17:53 +02:00 · d8e929181f
commit d8e929181f
parent 2024601135
14 changed files with 62 additions and 0 deletions
--- a/hosts/router/151-net-technik-iot.nix
+++ b/hosts/router/151-net-technik-iot.nix
@ -34,4 +34,10 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-technik-iot.rules = [
    { incomingInterface = "net-ikt"; }
    # Give technik access to their toys
    { incomingInterface = "net-technik"; }
  ];
 }
--- a/hosts/router/201-net-ikt.nix
+++ b/hosts/router/201-net-ikt.nix
@ -47,4 +47,9 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-ikt.rules = [
    # Allow infrastructure devices to access ikt user devices for downloading software etc
    { incomingInterface = "net-management"; }
  ];
 }
--- a/hosts/router/202-net-technik.nix
+++ b/hosts/router/202-net-technik.nix
@ -47,4 +47,10 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-technik.rules = [
    { incomingInterface = "net-ikt"; }
    # Give the toys access to technik
    { incomingInterface = "net-technik-iot"; }
  ];
 }
--- a/hosts/router/203-net-hospital.nix
+++ b/hosts/router/203-net-hospital.nix
@ -47,4 +47,8 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-hospital.rules = [
    { incomingInterface = "net-ikt"; }
  ];
 }
--- a/hosts/router/204-net-zoll.nix
+++ b/hosts/router/204-net-zoll.nix
@ -47,4 +47,8 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-zoll.rules = [
    { incomingInterface = "net-ikt"; }
  ];
 }
--- a/hosts/router/205-net-leitstelle.nix
+++ b/hosts/router/205-net-leitstelle.nix
@ -47,4 +47,8 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-leitstelle.rules = [
    { incomingInterface = "net-ikt"; }
  ];
 }
--- a/hosts/router/206-net-verwaltung.nix
+++ b/hosts/router/206-net-verwaltung.nix
@ -47,4 +47,8 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-verwaltung.rules = [
    { incomingInterface = "net-ikt"; }
  ];
 }
--- a/hosts/router/208-net-yolo.nix
+++ b/hosts/router/208-net-yolo.nix
@ -47,4 +47,8 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-yolo.rules = [
    { incomingInterface = "net-ikt"; }
  ];
 }
--- a/hosts/router/209-net-infojurte.nix
+++ b/hosts/router/209-net-infojurte.nix
@ -47,4 +47,8 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-infojurte.rules = [
    { incomingInterface = "net-ikt"; }
  ];
 }
--- a/hosts/router/210-net-internation.nix
+++ b/hosts/router/210-net-internation.nix
@ -47,4 +47,8 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-internation.rules = [
    { incomingInterface = "net-ikt"; }
  ];
 }
--- a/hosts/router/211-net-programmtre.nix
+++ b/hosts/router/211-net-programmtre.nix
@ -47,4 +47,8 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-programmtre.rules = [
    { incomingInterface = "net-ikt"; }
  ];
 }
--- a/hosts/router/212-net-open-office.nix
+++ b/hosts/router/212-net-open-office.nix
@ -47,4 +47,8 @@
      ];
    };
  };
  clerie.forward-filter.interfaces.net-open-office.rules = [
    { incomingInterface = "net-ikt"; }
  ];
 }
--- a/hosts/router/42-net-management.nix
+++ b/hosts/router/42-net-management.nix
@ -9,4 +9,11 @@
  networking.interfaces.net-management.ipv4.addresses = [
    { address = "10.42.42.1"; prefixLength = 24; }
  ];
  clerie.forward-filter.interfaces.net-management.rules = [
    { incomingInterface = "net-ikt"; }
    # Allow monitoring
    { incomingInterface = "net-services"; sourceAddress = "10.42.10.7"; }
    { incomingInterface = "net-services"; sourceAddress6 = "2a01:4f8:1c0c:8221::7"; }
  ];
 }
--- a/hosts/router/configuration.nix
+++ b/hosts/router/configuration.nix
@ -73,6 +73,8 @@
    };
  };
  clerie.forward-filter.enable = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave