diff options
author | Kenny Ballou <kballou@devnulllabs.io> | 2019-07-18 05:56:30 -0600 |
---|---|---|
committer | Kenny Ballou <kballou@devnulllabs.io> | 2019-07-18 05:56:30 -0600 |
commit | cace371fa291bffd48ea3310a496762a9ba29559 (patch) | |
tree | 29055ed2deeec89b942c529e1df571c6272b56e6 /services | |
parent | 4ab6e2130b36505f33fcf4c1f87af1d001c47818 (diff) | |
download | cfg.nix-cace371fa291bffd48ea3310a496762a9ba29559.tar.gz cfg.nix-cace371fa291bffd48ea3310a496762a9ba29559.tar.xz |
firewall: update docker input traffic saddr
Instead of allowing the entire `172/8` block which includes more than we
actually want, appropriately limit to the `172.16/12`.
Signed-off-by: Kenny Ballou <kballou@devnulllabs.io>
Diffstat (limited to 'services')
-rw-r--r-- | services/nftables-rules.nft | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/services/nftables-rules.nft b/services/nftables-rules.nft index be39d0b..3635100 100644 --- a/services/nftables-rules.nft +++ b/services/nftables-rules.nft @@ -8,7 +8,7 @@ table inet filter { iif != lo ip6 daddr ::1/128 counter drop ip protocol icmp counter accept ip6 nexthdr ipv6-icmp counter accept - udp dport domain ip saddr 172.0.0.1/8 counter accept + udp dport domain ip saddr 172.16.0.0/12 counter accept tcp dport 8000 ip saddr 127.0.0.1/8 counter accept tcp dport http-alt ip saddr 127.0.0.1/8 counter accept tcp dport ssh counter accept |