firewall rules: allow all output ports to localhost

Instead of explicitly adding rules for every possible service that is only available from localhost, add a rule that catches all local bound traffic and accept. It may seem this is unncessary, however, since the default policy for out-bound is drop, it turns out to be very necessary. Signed-off-by: Kenny Ballou <kballou@devnulllabs.io>
author: Kenny Ballou <kballou@devnulllabs.io> 2020-01-21 23:27:50 -0700
committer: Kenny Ballou <kballou@devnulllabs.io> 2020-01-21 23:27:50 -0700
commit: f060ab67d6e81225cc3fe893aa749ccf44c26409 (patch)
tree: 5ddd8e3220c3a642b12aecf3c619f65904e39968 /phenex
parent: 9b36f865949588e6a8616c8689fef8786b99ecfc (diff)
download: cfg.nix-f060ab67d6e81225cc3fe893aa749ccf44c26409.tar.gz
cfg.nix-f060ab67d6e81225cc3fe893aa749ccf44c26409.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/phenex/nftables-rules.nft b/phenex/nftables-rules.nft
index 797f164..d004bb5 100644
--- a/phenex/nftables-rules.nft
+++ b/phenex/nftables-rules.nft
@@ -53,9 +53,9 @@ table inet filter {
         udp dport rsync counter accept
         tcp dport 8000 counter accept
         tcp dport http-alt counter accept
-        tcp dport 3000 ip daddr 127.0.0.1/8 counter accept
         udp dport openvpn counter accept
         tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+        ip daddr 127.0.0.0/8 counter accept
         counter
     }
 }
author	Kenny Ballou <kballou@devnulllabs.io>	2020-01-21 23:27:50 -0700
committer	Kenny Ballou <kballou@devnulllabs.io>	2020-01-21 23:27:50 -0700
commit	f060ab67d6e81225cc3fe893aa749ccf44c26409 (patch)
tree	5ddd8e3220c3a642b12aecf3c619f65904e39968 /phenex
parent	9b36f865949588e6a8616c8689fef8786b99ecfc (diff)
download	cfg.nix-f060ab67d6e81225cc3fe893aa749ccf44c26409.tar.gz cfg.nix-f060ab67d6e81225cc3fe893aa749ccf44c26409.tar.xz