diff options
author | Kenny Ballou <kballou@devnulllabs.io> | 2020-01-21 23:27:50 -0700 |
---|---|---|
committer | Kenny Ballou <kballou@devnulllabs.io> | 2020-01-21 23:27:50 -0700 |
commit | f060ab67d6e81225cc3fe893aa749ccf44c26409 (patch) | |
tree | 5ddd8e3220c3a642b12aecf3c619f65904e39968 /phenex | |
parent | 9b36f865949588e6a8616c8689fef8786b99ecfc (diff) | |
download | cfg.nix-f060ab67d6e81225cc3fe893aa749ccf44c26409.tar.gz cfg.nix-f060ab67d6e81225cc3fe893aa749ccf44c26409.tar.xz |
firewall rules: allow all output ports to localhost
Instead of explicitly adding rules for every possible service that is
only available from localhost, add a rule that catches all local bound
traffic and accept. It may seem this is unncessary, however, since the
default policy for out-bound is drop, it turns out to be very necessary.
Signed-off-by: Kenny Ballou <kballou@devnulllabs.io>
Diffstat (limited to 'phenex')
-rw-r--r-- | phenex/nftables-rules.nft | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/phenex/nftables-rules.nft b/phenex/nftables-rules.nft index 797f164..d004bb5 100644 --- a/phenex/nftables-rules.nft +++ b/phenex/nftables-rules.nft @@ -53,9 +53,9 @@ table inet filter { udp dport rsync counter accept tcp dport 8000 counter accept tcp dport http-alt counter accept - tcp dport 3000 ip daddr 127.0.0.1/8 counter accept udp dport openvpn counter accept tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept + ip daddr 127.0.0.0/8 counter accept counter } } |