firewall: protect dmz from guest, iot

author: quentin@aristote.fr <quentin@aristote.fr> 2024-10-27 19:34:26 +0100
committer: quentin@aristote.fr <quentin@aristote.fr> 2024-10-27 19:47:52 +0100
commit: 01d41493d7b463ef0d414c18cc9d0e293861501a (patch)
tree: 1eaf05db11f8c5fff9517a0b13a8aa3d47e381a1 /config/networking/services
parent: 491c4bf6b4596b486b12724e9124a854cc7abc26 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/config/networking/services/firewall/ruleset.nix b/config/networking/services/firewall/ruleset.nix
index e3427e4..3418ef8 100644
--- a/config/networking/services/firewall/ruleset.nix
+++ b/config/networking/services/firewall/ruleset.nix
@@ -137,6 +137,10 @@ in {
         wan_iot.rules = with rulesCommon; sonos.controller-player + ssdp;
         wan_enp3s0.rules = rulesCommon.kdeconnect;
         enp3s0_wan.rules = rulesCommon.kdeconnect;
+        extranet.rules = ''
+          meta iifname wan accept
+          ip daddr != { 192.168.0.0-192.168.255.255, 172.16.0.0-172.31.255.255 } accept
+        '';
         forward = makeBaseChain "filter" "forward" {
           rules = with rulesCommon;
             ''
@@ -144,7 +148,7 @@ in {
             ''
             + conntrack
             + ''
-              meta oifname enp4s0 accept
+              meta oifname enp4s0 goto extranet
               meta iifname . meta oifname vmap   \
                 { wan . iot    : goto wan_iot    \
                 , iot . wan    : goto iot_wan    \
author	quentin@aristote.fr <quentin@aristote.fr>	2024-10-27 19:34:26 +0100
committer	quentin@aristote.fr <quentin@aristote.fr>	2024-10-27 19:47:52 +0100
commit	01d41493d7b463ef0d414c18cc9d0e293861501a (patch)
tree	1eaf05db11f8c5fff9517a0b13a8aa3d47e381a1 /config/networking/services
parent	491c4bf6b4596b486b12724e9124a854cc7abc26 (diff)